How huge breach started: Drift attackers gained entry via a Salesloft GitHub account
The massive attack that compromised hundreds of companies, including Google, Palo Alto Networks, and Cloudflare, has its roots in a misconfigured Salesloft GitHub account. According to a recent update from the Mandiant-led investigation into the incident, the breach began when attackers gained access to the Salesloft GitHub account in March.
Salesloft hired an incident response firm, Mandiant, to investigate the root cause and scope of the incident. The investigation has now revealed that the attackers accessed the Salesloft GitHub account between March and June, downloading content from multiple repositories, adding a guest user, and establishing workflows. However, the postmortem report does not specify how the attackers initially gained access to the GitHub account.
The Register has reached out to Salesloft for clarification on this point, but is awaiting a response. The attack is believed to be linked to several threat groups, including UNC6395 and GRUB1, which are tracked by Google as uncategorized threat groups (UNC) and nation-state attackers, respectively.
The attackers used the stolen OAuth tokens from Drift's AWS environment to break into multiple companies' Salesforce instances, compromising "hundreds" of customer data. These affected companies include Google, Zscaler, Cloudflare, Palo Alto Networks, BeyondTrust, Bugcrowd, Cato Networks, CyberArk, Elastic, JFrog, Nutanix, PagerDuty, Rubrik, SpyCloud, and Tanium.
In response to the breach, Salesloft took several steps to mitigate the damage. The company took the Drift application offline, rotated compromised credentials, isolated the Drift infrastructure and code, and validated these activities with Mandiant. According to Mandiant, these actions support the incident having been contained.
The investigation into the breach is ongoing, but it is clear that a misconfigured GitHub account played a key role in the attackers' initial access. As more information becomes available, we will continue to provide updates on this developing story.