"What magnitude will the Cloudflare-Salesloft Drift leak attain?"
Cloudflare, a leading internet infrastructure company, has issued a warning to its customers regarding a recent security breach that exposed some of their data. The breach is linked to the Salesloft Drift, a third-party app that integrates with Salesforce databases to help manage leads.
According to Cloudflare's Head of Security Response, Sourov Zaman, Senior Director of Threat Detection and Response, Craig Strubhart, and Chief Information Security Officer, Grant Bourzikas, the breach occurred when attackers used stolen credentials to gain illicit access to Cloudflare's Salesforce instance. This instance is used for customer support and internal customer case management.
The compromised data includes customer contact information, basic support case data, and some customer support interactions may reveal sensitive information like access tokens. Hundreds of organizations were affected through this Drift compromise, suggesting a potential for targeted attacks in the future.
Cloudflare has pinned the blame on a threat group it tracks as GRUB1, which aligns with activity that Google's Threat Intel Group tracks as UNC6395, and has some overlap with ShinyHunters. The mastermind behind the GRUB1 attack on Cloudflare is a hacker known as GnosticPlayers.
Cloudflare has notified all of its customers whose data was exposed and has provided a comprehensive list of recommendations and indicators of compromise. Customers are advised to rotate API keys regularly and keep an eye out for any unusual logging activity to third-party integrations. Cloudflare has also rotated all security tokens "in an abundance of caution" but hasn't spotted any suspicious activity linked to any security tokens.
It's important to note that no Cloudflare services or infrastructure were compromised as a result of this breach. The timeline of the attack is detailed, with GRUB1 attempting to validate a Customer Cloudflare-issued API token on August 9, and gaining access on August 12. The breach gave access to Cloudflare's Salesforce instance between August 12 and August 17.
Google, Palo Alto Networks, and Zscaler are among the self-identified victims of the Salesloft Drift breach. Cloudflare's team promises to publish an in-depth analysis of GRUB1's tradecraft in the weeks ahead to help the broader community defend against similar campaigns.
Cloudflare strongly urges its customers to rotate their credentials that were shared with Cloudflare through its support system due to the breach. The company warns that the incident was not an isolated event and that the threat actor intended to harvest credentials and customer information for future attacks.
Customers are encouraged to monitor their accounts closely and report any suspicious activity to Cloudflare's security team. Cloudflare remains committed to transparency and keeping its customers informed about any potential security risks.
