How big will this Drift get? Cloudflare cops to Salesloft Drift breach

The list of victims keeps growing, as yet another company — Cloudflare — today disclosed that some of its customers’ data was also compromised in the Salesloft Drift breach.

In a very comprehensive post mortem published Tuesday, Cloudflare’s Head of Security Response Sourov Zaman, Senior Director of Threat Detection and Response Craig Strubhart, and Chief Information Security Officer Grant Bourzikas detailed the Drift attack, which affected Salesforce databases.

Drift is a third-party app that integrates with Salesforce databases to help manage leads. 

“Because of this breach, someone outside Cloudflare got access to our Salesforce instance, which we use for customer support and internal customer case management, and some of the data it contains,” the Cloudflare trio wrote. 

“Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer’s configuration and could contain sensitive information like access tokens,” they continued. “Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system — including logs, tokens or passwords — should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel.”

Cloudflare also pinned the blame on a threat group it tracks as GRUB1, which the security execs say aligns with activity that Google’s Threat Intel Group tracks as UNC6395, and Google says has some overlap with ShinyHunters.

Side note: If you’re not yet confused by all of these naming conventions and overlaps, check out this explainer.

And, while the CDN-slash-security-provider said it hasn’t spotted any suspicious activity linked to any security tokens, it did rotate all of them “in an abundance of caution.”

Plus: Cloudflare notified all of its customers whose data was exposed.

“No Cloudflare services or infrastructure were compromised as a result of this breach,” the security execs added.

Cloudflare’s own investigation showed that the miscreants compromised and stole data from its Salesforce tenant between August 12 and August 17, in line with the earlier timeline provided by Drift.

The cloud company provided a detailed timeline, beginning on August 9 when it first spotted GRUB1 trying to validate a Customer Cloudflare-issued API token to the Salesforce API, before gaining illicit access using stolen credentials three days later. 

And it continues a nearly-daily account of the nefarious activities all the way through the attackers’ final data exfiltration and cover up to Cloudflare’s response, concluding with customers being notified on September 2.

Cloudflare also provides a comprehensive list of recommendations, and indicators of compromise, and we at The Register give kudos to the company for its transparency and technical details.

But wait! There’s more! Zaman, Strubhart, and Bourzikas also promised “in the weeks ahead” to publish an in-depth analysis of “GRUB1’s tradecraft to support the broader community in defending against similar campaigns.”

Cloudflare’s disclosure grows the body count associated with this particular hack, as Google, Palo Alto Networks, and Zscaler are all on the list of self-identified victims.

And we’re willing to bet that it’s not over yet. As Cloudflare warns: “We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks. Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations.”

So hunker down, rotate those API keys regularly, and keep an eye out for any unusual logging activity to third-party integrations. ®

READ MORE HERE