UNC6395 Expands Data Theft Campaign to Email OAuth Tokens

An ongoing data theft campaign that has targeted OAuth tokens used to authenticate Salesloft Drift instances connected to Salesforce has expanded to also go after OAuth tokens for other integrations with the Drift platform. Google researchers discovered the new attacks and are advising all customers to treat any authentication tokens for those integrations as compromised. 

The campaign has been active since at least the beginning of August and Google’s Threat Intelligence Group (GTIG) has attributed the attacks to a group it calls UNC6395. Initially, the attackers targeted organizations’ Salesforce instances by attempting to steal their OAuth tokens for the Salesloft Drift platform integration. 

“The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” GTIG said in its advisory. 

It’s important to note that this campaign doesn’t target any underlying vulnerabilities in Salesforce or Google platforms. 

Both Salesloft and GTIG published information about the attacks last week, but things have expanded since then. Here’s what’s going on now:

• UNC6395 has also been able to steal OAuth tokens for the Drift Email integration, which the attackers then used to access Google Workspace instances for a small number of customers
• GTIG said: “The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer's Workspace domain.”
• Google identified the affected organizations and revoked the compromised tokens and disabled the integration between Google Workspace and Drift 

As a result of this campaign, GTIG is advising organizations to treat OAuth tokens associated with the Drift platform as potentially compromised. The researchers also recommend that organizations review all third-party integrations with the Drift platform and also search for any secrets or sensitive data in those third-party apps that may have been compromised. 

It’s important to note that this campaign doesn’t target any underlying vulnerabilities in Salesforce or Google platforms. 

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.