Workday Hit in Wave of Social Engineering Attacks

Human resources (HR) platform provider Workday has become the latest large organization to fall victim to a cyber attack originating through a third-party supplier, as the impact of a wave of cyber attacks – likely orchestrated through Salesforce products and linked to the ShinyHunters cyber crime collective – continues to reverberate.

The incident was announced just prior to the weekend of August 16-17 by Workday in a notice that revealed the company had been targeted by a social engineering campaign targeting many large organizations. Cyber news outlet Bleeping Computer had previously linked the threat actor to Salesforce, but Workday did not name either party involved.

"We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform," said the company. "There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future."

The type of information obtained by the threat actors was primarily commonly available business contact information, such as names, email addresses, and phone numbers, which they may have used to further their social engineering scams.

"It's essential to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels," the company added.

The Breach and Its Implications

The breach of Workday's systems puts it among a growing number of companies that have been compromised by ShinyHunters in recent weeks, including Adidas, Air France-KLM, Allianz, Google, multiple LVMH brands, Pandora, and Qantas.

A similar series of cyber attacks conducted by the Scattered Spider group has also been observed, with Marks & Spencer being one of its recent targets. The incident highlights a pattern where many high-profile data breaches have arisen from simple manipulation and trickery of ordinary employees rather than software vulnerabilities.

The Connection to ShinyHunters and Scattered Spider

Researchers at Flashpoint are now making the connection between the current wave of CRM-linked breaches and Scattered Spider, with a briefing document published on August 15 attributing the attacks to the group.

According to ReliaQuest, ShinyHunters and Scattered Spider may be aligned through shared links to a wider underground group known as The Com. While the connection is not definitive, it suggests that there may be a common thread between the two groups.

The Need for Enhanced Security Measures

"Eliminate OAuth blind spots, enforce strict allow-listing for third-party app integrations, and review connections at a regular interval," said Dray Agha, senior manager of security operations at Huntress. "Adopt phishing-resistant MFA: hardware tokens are essential, as 'MFA fatigue' attacks remain trivial."

A huge number of attacks begin with social engineering, users being deceived, and user enrollment in the execution of malware. Effective security awareness training is a must for any organization that wishes to repel cyber attacks," Agha added.

Timeline: Scattered Spider, ShinyHunters, and Social Engineering

August 15: Researchers at Flashpoint publish a briefing document attributing the current wave of CRM-linked breaches to Scattered Spider.

August 16-17: Workday announces that it has been targeted by a social engineering campaign, revealing the breach was linked to Salesforce products and ShinyHunters.

Recent weeks: Multiple companies, including Adidas, Air France-KLM, Allianz, Google, multiple LVMH brands, Pandora, and Qantas, have been compromised by ShinyHunters in a campaign closely mirroring that of Scattered Spider.