A recent surge in social engineering attacks on the Salesforce CRM application indicates these attacks misuse specific methods and vulnerabilities. Northwave has observed several such attacks in recent weeks, and some have led to severe impact for the organisations affected. In this Threat Response we briefly explain what we have learned, which steps we advise to take to better protect your organisation.
What do we know?
Based on what we’ve learned, we know the attackers use advanced social engineering attacks. They impersonate the IT service desk and are able to extract login information and MFA keys to gain initial access. With these accounts they are able to access the Salesforce environment. We also think that in these type of attacks the time between the initial access and extraction of the data is very short, which means that even a very quick detection and response can result in large data extractions.
Based on what we’ve learned, we know the attackers use advanced social engineering attacks. They impersonate the IT service desk and are able to extract login information and MFA keys to gain initial access. With these accounts they are able to access the Salesforce environment. We also think that in these type of attacks the time between the initial access and extraction of the data is very short, which means that even a very quick detection and response can result in large data extractions.
After attackers get access they install a data extraction plugin, which uses the API of Salesforce to extract data. They do this in such a way, that the API-calls request limited data per request, to not trigger rate-limits or alerts. This modus operandi is explained in more detail here [1]. Different closely related methods could be used, but they all rely on malicious plugins or apps to covertly extract the data.
- Review and validate all Salesforce connected apps. Because we do not know the dwell-time of these attackers, it is important to verify if unauthorized apps might already have been installed. This page explains more on how you can do this [2].
- Drastically limit the rights of users to install plugins or apps for Salesforce. This should be an Admin only permission.
- Implement app allowlisting to only allow approved apps.
- Inform all employees about this attack and how they can recognize it:
- If you get a call by IT support, tell them that you will call them back on the known number of the organisation. Also tell them to actually do this, because then this can also function as a incident report.
- Explain that IT Support will never:
- Ask for passwords or to enter them
- Asks for MFA codes or to enter them
- Asks to install specific apps or plugins
Which measures should you start implementing?
- Ensure that Salesforce can only be access via a trusted network (e.g. via a VPN or IP whitelisting)
- Implement logging and monitoring that checks for:
- High volume queries
- Exports of reports or CSV files
- Login attempts from unknown locations
- Update your trainings and onboarding procedures to specifically explain this type of attack, especially for employees working with Salesforce.
What should you start thinking about?
- Assess which data is stored in Salesforce.
- Should it actually be there or can we limit the data?
- Do we have proper data retention implemented?
- Assess access rights of all roles within Salesforce.
- To which data do these roles have access and do they really need it?
- Which functionallity does this role have and does it really need it?
What does Northwave do?
We will monitor any developments regarding these attacks. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources