Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Boeing data breach. Show all posts
Salesloft security alert
Boeing data breach Drift AI hack Google Threat Intelligence OAuth token compromise Salesforce Salesforce credential theft Salesloft security alert

Hackers Exploit Drift AI Integration to Steal Salesforce Data in Major Campaign

 



Hackers have launched a widespread attack campaign stealing sensitive data from Salesforce instances by exploiting a third-party integration, according to Google’s Threat Intelligence Group.

The group of attackers, tracked by Google as UNC6395, abused compromised OAuth tokens linked to Salesloft’s Drift AI chat agent to infiltrate Salesforce environments. Their main objective was credential theft, enabling large-scale exfiltration of customer data.

“Google Threat Intelligence is aware of over 700 potentially impacted organizations,” said Austin Larsen, principal threat analyst at Google. He confirmed that the hackers automated the campaign using a Python-based tool to rapidly harvest information.

Researchers clarified that Salesforce itself was not compromised. Instead, attackers targeted authentication tokens, later searching for AWS access keys, passwords, and Snowflake platform tokens.

The incidents occurred primarily between August 8 and August 18, with Salesloft working alongside Salesforce to revoke compromised Drift tokens by August 20. Salesloft also issued a security alert instructing administrators to reauthenticate Salesforce connections.

Salesforce acknowledged detecting “unusual activity” tied to a small number of customer accounts. As a precaution, the company has temporarily removed Drift from its AppExchange marketplace and is cooperating with Salesloft to support affected customers.

Google researchers noted that attackers attempted to cover their tracks by deleting query jobs but confirmed that event logs remain intact, urging security teams to audit logs for signs of exposure.

Charles Carmakal, CTO of Mandiant Consulting, advised impacted organizations to follow remediation guidance, including revoking API keys, rotating credentials, and hardening access controls.

The latest Google update warns the compromise extends beyond Salesforce integrations, as OAuth tokens linked to “Drift Email” were also targeted. A limited number of Google Workspace accounts were breached on August 9, though Google confirmed there was no compromise of Workspace or Alphabet systems overall.

Experts emphasize that any organization using Salesloft Drift should assume their authentication tokens may have been exposed and act immediately to secure accounts.
Read more »
Sensitive data
aerospace giant Boeing data breach CISA report Cybersecurity Data Breach Extortion Hacking Group Lockbit cybercrime Online Threat Ransomware attack Sensitive data

Boeing Evaluates Cyber Group's Data Dump Threat

 

Boeing Co announced on Friday that it is currently evaluating a claim made by the Lockbit cybercrime group, which asserts that it has obtained a significant volume of sensitive data from the aerospace giant. The group has threatened to release this information online unless Boeing pays a ransom by November 2.

To emphasize their ultimatum, the hackers displayed a countdown timer on their data leak website, accompanied by a message stating, "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!"

The group conveyed that, for now, they will refrain from providing lists or samples of the data in order to safeguard the company. However, they asserted that this stance may change before the deadline arrives.

Lockbit typically deploys ransomware on an organization's system to encrypt it and also pilfers sensitive information as a means of extortion.

A spokesperson for Boeing stated, "We are assessing this claim" via email.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Lockbit was the most active ransomware group globally last year, based on the number of victims it claimed on its data leak blog.

The gang, known for its eponymous ransomware, which emerged on Russian-language cybercrime forums in January 2020, has reportedly conducted 1,700 attacks on U.S. organizations since then, as per CISA's report in June.

Lockbit did not disclose the volume of data it purportedly acquired from Boeing, nor did they reveal the ransom amount they are demanding. Boeing declined to provide further comments.

The hacking group has yet to respond to a request for comment sent to the address mentioned on their data leak site.
Read more »
Subscribe to: Posts (Atom)