Cybercrime, Fraud Management & Cybercrime
CRM-Obsessed ShinyHunters Gang Exploits Misconfigured Customer Experience Portals
The ShinyHunters gang, a cybercrime collective known for its brazen exploits against Salesforce customers, has recently intensified its operations by targeting misconfigured guest accounts that allow public access to private services. This exploitation has resulted in significant data theft and extortion campaigns aimed at numerous organizations.
Salesforce has clarified that the recent data breaches do not originate from any vulnerabilities within its platform. Instead, the attackers have efficiently leveraged guest account misconfigurations to access and steal sensitive customer data. It’s estimated that the ShinyHunters gang has successfully compromised between 300 to 400 organizations, primarily targeting those within the cybersecurity space.
The source of this vulnerability has been traced to the misconfigured components of a rapid development framework known as Salesforce Aura, which is part of the Salesforce Experience Cloud—formerly Community Cloud. Designed to connect an organization’s customer relationship management (CRM) data with online platforms, the Experience Cloud has become a lucrative target for cybercriminals.
Salesforce reported that the attackers appear to have adapted an open-source tool named Aura Inspector, modified to conduct mass scanning of public-facing Experience Cloud sites. This tool enables the extraction of data from sites that have “overly permissive guest user settings,” making it easier for the attackers to infiltrate and exploit these vulnerabilities.
Aura Inspector, initially developed by Google Cloud’s Mandiant, was created to assist organizations in auditing their Experience Cloud environments. It identifies potentially vulnerable objects that should not be publicly accessible. However, the ShinyHunters gang has crafted a custom version of this tool that goes beyond simple identification to actively extract sensitive data, effectively exploiting the lax guest user settings that some organizations have in place.
Mandiant is currently investigating the malicious applications of the Aura Inspector and has noted that a threat actor is attempting to identify and exploit misconfigurations within Salesforce Experience Cloud instances. Charles Carmakal, CTO of Mandiant Consulting, indicated that the company is collaborating with Salesforce and its customers to mitigate potential risks by providing necessary telemetry and detection rules.
In response to these threats, Salesforce has urged its customers to thoroughly audit guest account permissions and implement a “least privilege access model.” This involves adjusting default permissions to “private,” thereby ensuring that any guest access must be explicitly granted. Additionally, Salesforce recommends that organizations disable all public API uses to prevent unauthenticated API calls from guest accounts, a critical step to thwart potential attacks.
Organizations are also advised to deactivate portal or site visibility for guest accounts, thereby preventing an attacker-controlled guest account from enumerating other users. If not essential, firms can even deactivate the self-registration feature for portal accounts, which could be exploited by an attacker to escalate a guest-tier exposure into a more privileged session, allowing broader data access.
The ShinyHunters group has made its intentions clear through a recent post on their dark web data leak site, where they pressure organizations into compliance by publicly listing non-paying victims. Known as the “Salesforce Aura Campaign,” the group claims to be extorting hundreds of companies utilizing the Aura framework.
True to their modus operandi typical of ransomware operations, the ShinyHunters gang has not disclosed whether any of their victims have complied with ransom demands or the specific amounts involved. This cybercrime collective is also noted for its connections to other criminal enterprises within the Western adolescent cybercrime community, often executing social engineering attacks that target IT help desks through live phone calls.
Experts in cybersecurity continue to warn organizations against negotiating with these criminals. Unit 221B, a cybersecurity firm that has been involved in exposing elements of The Com, emphasizes that engaging with ShinyHunters can lead only to further harassment and negative publicity, including severe intimidation tactics, such as threats against senior executives.
Cybersecurity specialists unanimously agree that no group, regardless of their claims, has ever fully deleted stolen data, even when a ransom is paid in exchange for such assurances. Despite ShinyHunters’ bold claims of successfully exploiting Salesforce CRM data, reports indicate that actual payments made by victims are few and far between.
As the cyber threat landscape continues to evolve, organizations operating within the Salesforce ecosystem and beyond must remain vigilant. Implementing robust security measures and continuously auditing system configurations is essential to mitigate risks associated with data breaches and extortion campaigns instigated by groups like ShinyHunters.