A recent supply chain attack has raised significant concerns within the cybersecurity landscape, particularly involving Klue, a competitive intelligence platform. This incident, which transpired in June, has resulted in unauthorized access to Salesforce data from multiple clients, including several high-profile cybersecurity vendors. The attackers exploited a compromised legacy credential linked to Klue’s integration infrastructure, enabling them to gain access without directly breaching Salesforce itself.
In a disclosure put forth by Klue, the company confirmed that its investigation revealed attackers had infiltrated its system through a compromised credential associated with an integration service. This access led to the acquisition of OAuth tokens, which are vital for connecting Klue to third-party platforms like Salesforce. Incident reports from Huntress and other affected organizations highlight that the stolen tokens were effectively utilized to infiltrate customer Salesforce environments, resulting in the exfiltration of critical CRM data.
The attack reportedly commenced around June 11, coinciding with unauthorized code updates made to Klue’s integration services. Various security firms, including Huntress, Recorded Future, and Tanium, have verified that their Salesforce data was accessed through the compromised Klue integration. Klue indicated that it took immediate measures to contain the situation, which involved revoking credentials, removing unauthorized code, disabling affected integrations, and notifying law enforcement authorities of the breach.
Salesforce has since disabled the implicated Klue integration while investigations continue. Organizations utilizing Klue’s integration with Salesforce have been urged to take urgent action by revoking and rotating their OAuth tokens, meticulously reviewing connected applications, and scrutinizing Salesforce audit logs for any suspicious activity. Sunil Gottumukkala, CEO of Averlon, expressed that this pattern of attack reflects a growing trend, as attackers increasingly target SaaS integrations rather than directly assaulting cloud platforms.
Gottumukkala pointed out that the attackers gained unauthorized access to hundreds of customers’ Salesforce instances by exploiting compromised legacy credentials at Klue. He emphasized that enterprises must now consider their security frameworks as being only as robust as the third-party applications they have allowed access to their CRM systems. Most teams fail to actively monitor these integrations, creating a significant vulnerability.
The CEO advocated for immediate action among organizations by inventorying all OAuth integrations to identify unnecessary or dormant ones. He stressed the importance of vigilant monitoring for unusual token activity. The breached data reportedly included sensitive contact and sales information, which could consequently lead to targeted phishing efforts. Hence, Gottumukkala advised organizations to proactively inform their customers and employees to mitigate risks before attackers can exploit this sensitive information.
John Strand, the owner of Black Hills Information Security, remarked that this incident is indicative of an impending crisis in the SaaS landscape. He highlighted how various threat actors, spanning from state-sponsored groups to independent militias, are intensifying their efforts, thus putting all organizations at risk. Attackers are increasingly capitalizing on existing SaaS platforms, transforming them into centralized vulnerabilities that facilitate mass exploitation.
Denis Calderone, CTO at Suzu Labs, observed that this particular attack methodology has become a standard practice among cybercriminals. With three distinct instances of OAuth supply chain attacks occurring within a year and utilizing similar techniques, Calderone noted that attackers are now adept at compromising integration vendors, harvesting OAuth tokens, and executing API queries to exfiltrate CRM data en masse.
The root cause, as identified by Huntress, was a single neglected credential created for a prototype third-party integration that was never implemented. This forgotten API key allowed an intruder unlimited access to Klue’s backend, culminating in a malicious update that gathered OAuth tokens from over 300 organizations simultaneously, thereby exposing a vast array of customer data.
Calderone emphasized that businesses utilizing Klue’s services must take immediate, comprehensive measures to assess all OAuth tokens tied to the integration, extending beyond Salesforce to other platforms. He mentioned various integrations with popular applications like HubSpot, Slack, and Google Drive, urging organizations to treat all associated tokens as potentially compromised.
Damon Small, a board member at Xcape, underscored the severity of the operational risks posed by this incident. Specialized business platforms, he noted, serve as attractive targets for corporate espionage as they facilitate unauthorized access to sensitive competitive data and customer insights. Small recommended that organizations diligently cataloging all API and OAuth integrations linked to their core data systems, revoked over-privileged tokens, and established strict data access protocols.
As organizations continue grappling with the implications of this breach, immediate remedial steps and updated security protocols are vital for safeguarding against future threats in an increasingly interconnected digital landscape.