The ripples from the Salesloft Drift incident are continuing to spread across many industries, and Cloudflare has now disclosed that its Salesforce instance was breached in early August, though the compromised data was limited mainly to customer contact information and support case data.

Cloudflare said on Sept. 2 that the attackers behind the breach–who the company is calling Grub1–had access to Cloudflare’s Salesforce instance from Aug. 12-17 and was able to exfiltrate a limited set of data during that time frame. That data comprises Salesforce case objects, which include “customer contact information related to the support case, case subject lines, and the body of the case correspondence”. Cloudflare researchers said that the company was notified last week that it was part of the ongoing Salesloft Drift incident, and began investigating the intrusion immediately. 

“As part of our response to this incident, we did our own search through the compromised data to look for tokens or passwords and found 104 Cloudflare API tokens. We have identified no suspicious activity associated with those tokens, but all of these have been rotated in an abundance of caution,” Cloudflare said. 

The company has notified all of the affected customers and also took a number of other actions, including implementing new credential-rotation policies for third-party integrations. 

This incident is the latest to stem from an intrusion at Salesloft last month in which attackers used OAuth tokens to target Salesloft customers’ Salesforce integrations. A number of other companies have said they were affected by the incident, as well, including Zscaler and Palo Alto Networks. Both companies have published breakdowns of what happened and what data was accessed, and the scope of those incidents appears to be limited. 

Salesloft has taken its Drift service offline as it continues to look into the incident. "This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality," the company said.

Cloudflare is one of the larger hosting, DNS, and infrastructure companies and as such sees more than its share of attacks and intrusion attempts across its services. The company has a long history of publishing detailed post mortems on even relatively minor incidents on its platform, and this incident is no exception. 

“Our first priority was cutting off GRUB1's access at the source."

In the after-action report, Cloudflare researchers said that they saw the first signs of attacker reconnaissance on the company’s network on Aug. 9, when the Grub1 actors tried to validate a Cloudflare-issued API token for the Salesforce API. Three days later the attackers were able to access Cloudflare's Salesforce tenant using a stolen credential for the Salesloft integration. From there, the Grub1 actors expanded the reconnaissance and mapped out Cloudflare’s Salesforce instance before finally exfiltrating data and covering their tracks on Aug. 17. 

Six days later, Salesloft and Salesforce both notified Cloudflare about the unusual activity on its Salesloft Drift integration. 

“By August 25, we had received additional intelligence about the incident and escalated our response beyond the initial vendor-recommended containment steps. We launched our own comprehensive investigation and remediation effort,” Cloudflare said. 

“Our first priority was cutting off GRUB1's access at the source. We disabled the Drift user account, revoked its client ID and secrets, and completely purged all Salesloft software and browser extensions from Cloudflare systems.”

By Sept. 2, Cloudflare began notifying affected customers. 

Salesloft is still in the process of investigating the full effects on the incident and is updating customers on its efforts on its Trust Portal page.

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.