Full Report
Trustwave's Security & Compliance Team is aware of the Salesloft vulnerability affecting Drift chatbot integrations. Trustwave, A LevelBlue Company, and its affiliated entities do not utilize Drift, and Salesforce has confirmed the incident did not impact clients without this integration.
Analysis Summary
This summary is based on the provided text snippet concerning a supply chain incident affecting Salesloft and its integration with the Drift chatbot.
# Incident Report: Salesloft/Drift Supply Chain Compromise (OAuth Hijacking)
## Executive Summary
A supply chain attack primarily targeted Salesloft, where an attacker initially gained unauthorized access, leading to the compromise of Salesloft’s Drift chatbot integrations. The attacker pivoted by stealing OAuth tokens related to Drift integrations, which were then used to access Salesloft’s customer data via their **Salesforce integrations**, leading to significant data exfiltration across hundreds of impacted businesses.
## Incident Details
- **Discovery Date:** Not explicitly stated, but response actions indicate awareness around late August/early September.
- **Incident Date:** Attack began with initial access to a compromised account/system sometime before June, with pivot to AWS in early August, and data exfiltration continuing afterward.
- **Affected Organization:** Salesloft (Primary Target/Vector), Drift (Integration Affected), and downstream customers using Salesloft/Drift/Salesforce integration.
- **Sector:** Technology/Software as a Service (SaaS).
- **Geography:** Not explicitly stated, but Trustwave operates globally.
## Timeline of Events
### Initial Access
- **Date/Time:** Began sometime before June (when private code repositories were downloaded).
- **Vector:** Compromised account on Salesloft infrastructure.
- **Details:** Attacker gained access to a Salesloft account, downloading private code repositories.
### Lateral Movement
- **Date/Time:** Early August.
- **Vector:** Exploitation of compromised Salesloft infrastructure access.
- **Details:** The attacker leveraged access to pivot into Drift's AWS environment.
### Data Exfiltration/Impact
- **Date/Time:** After early August.
- **Vector:** Use of stolen OAuth tokens.
- **Details:** The threat actor used the stolen OAuth tokens to access **Drift's customers' Salesforce integrations**, allowing for the download and exfiltration of customer data. The attacker also attempted to cover tracks by deleting logged records of queries and export jobs.
### Detection & Response
- **Date/Time:** As of September 9, the Salesloft/Salesforce integration was reported as restored.
- **Details:** Response actions involved restoring the integration and likely internal remediation within Salesloft and Drift’s affected environments.
## Attack Methodology
Since the provided text focuses on the *results* of the compromise, the specific ATT&CK techniques are inferred based on the actions described:
- **Initial Access:** Compromised credentials/account takeover on Salesloft infrastructure.
- **Persistence:** Maintained access (implied through continued activity until at least June/August).
- **Lateral Movement:** Pivoting from Salesloft access to Drift’s AWS environment.
- **Discovery:** Implied reconnaissance to identify valuable targets (code repositories, AWS access).
- **Collection:** Downloading private code repositories.
- **Exfiltration:** Utilizing stolen OAuth tokens to access and download data from customer Salesforce instances.
- **Impact:** Data theft (Confidentiality violation).
## Impact Assessment
- **Financial:** Not quantified in the source text.
- **Data Breach:** Sensitive data was accessed and exfiltrated via customer Salesforce integrations.
- **Operational:** Disruption to data exchange between Salesloft/Drift/Salesforce for affected customers until restoration.
- **Reputational:** Significant for Salesloft and Drift due to supply chain leverage impacting hundreds of customers.
## Indicators of Compromise
*(No specific indicators were provided in the snippet to defang, as the focus was on the methodology.)*
- **Behavioral indicators:** Deletion of query and export job logs in an attempt to evade forensics.
## Response Actions
- **Containment:** Restoration of the integration between Salesloft and Salesforce (as of September 9).
- **Eradication/Recovery:** Implied revocation of compromised OAuth tokens and internal hardening of AWS/integration environments.
## Lessons Learned
- Supply chain attacks cause massive damage by leveraging a single compromise to pivot across multiple downstream organizations (Salesloft $\rightarrow$ Drift $\rightarrow$ Hundreds of Customers).
- It is vital to inventory and analyze third-party vendors and understand the business impact if a critical supplier is compromised.
- Organizations must ensure their suppliers are adhering to robust security due diligence.
## Recommendations
- **Vendor Risk Management:** Implement rigorous auditing and continuous monitoring of security postures for all critical third-party vendors who handle sensitive data or maintain necessary system integrations (especially those involving OAuth/API connections).
- **Authentication Security:** Review and enforce least privilege access, particularly concerning long-lived integration tokens like OAuth, ensuring tokens are scoped only to necessary resources and rotated frequently.
- **Logging & Monitoring:** Ensure comprehensive logging for API calls, data exports, and administrative actions, and maintain these logs off-system to prevent tampering during an attack.