Palo Alto Networks has acknowledged that it experienced a big data attack that impacted customer information and disclosed support case information when assailants used the compromised OAuth tokens obtained on the Salesloft Drift supply chain hacks to illicitly gain access to its Salesforce CRM instance. The incident is one of hundreds of companies that were victims of an advanced supply chain attack that has rocked the cybersecurity sector, showing how third-party weaknesses can make their way into systemic organizational breaches.
Widespread Salesforce attacks are made possible by the Salesloft breach
According to BleepingComputer, Palo Alto Networks was attacked by hackers who abused OAuth tokens stolen in the Salesloft Drift breach to gain unauthorized access to its Salesforce instance and reveal customer data and support cases. According to the company, it is among hundreds of companies that have been victims of a supply-chain attack reported last week, where threat actors have used stolen authentication tokens to steal data.
The campaign, initially monitored by Google-based Threat Intelligence team as UNC6395, targeted the support cases to define sensitive data, including authentication tokens, passwords, and cloud secrets, which could be further used to pivot into other cloud services to steal information.
Attackers had been searching systematically for credentials
Palo Alto Networks stated that the attackers were also seeking secrets, such as AWS access keys (AKIA), Snowflake tokens, VPN and SSO login strings, and keywords, such as password, secret, or key, among others. This may then be succeeded by breaching more cloud structures in an attempt to steal information to blackmail others.
According to Google and Palo Alto Networks, automated tools were involved in stealing data, and user-agent strings show that it used custom Python tools.ย During such attacks, the attackers performed a mass exfiltration of the Salesforce Account, Contact, Case, and Opportunity data.
Coinbase is a victim of the first GH supply chain attack
Cybersecurity Dive claims that the threat actors in the GitHub Action supply chain attack were ignoring Coinbase as the first wave of their attack. The hack was created to take advantage of the public continuous integration/continuous delivery pipeline of one of the open source projects of the crypto exchange, named AgentKit.
The researchers believed that the attackers intended to use the project in order to make further compromises, but failed to gain access to the Coinbase secrets or release any of the packages. According to PAN researchers, the attacker then spent several days working on the bigger attacks, eventually compromising versions of tj-actions/changed files.
Several attack vectors are sophisticated
The bigger attack chain involved more than 23,000 repositories, but the Unit 42 researchers say the risk may go even higher to tens of thousands. In the attack on TJ-actions/changed files that was discovered on March 14, malicious code was injected using the compromise of a personal access token.
After Coinbase had seen the issue and responded to it internally, the hacker decided to implement the mass attack by hacking all tag versions of tj-action/changed-files, according to Omer Gil, senior research manager at Palo Alto Networks.
Extensive response and mitigation
Palo Alto Networks wrote to BleepingComputer that no technical support files or attachments were exfiltrated in the support case data, but only contact information and text comments were. The company quickly addressed the incident and turned off its Salesforce environment.
The breach of Palo Alto Networks points out the snowball risks of supply chain attacks, where hacked third-party services can place hundreds of organizations at risk of data theft and credential harvesting. These sophisticated assaults demonstrate that excellent security surveillance and rapid reaction to incidents are the most crucial drivers in the modern interdependent cyber world.