Salesforce has issued an urgent advisory to its Experience Cloud customers, recommending a thorough review of their website configurations following alarming reports of data theft attributed to a notorious threat group. This advisory comes in light of evidence indicating that the group has successfully stolen sensitive data from numerous organizations, raising concerns about cybersecurity vulnerabilities.

The cloud computing titan has noted a troubling trend in which threat actors are increasingly targeting misconfigurations of publicly accessible websites created using the Experience Cloud platform. In a detailed statement, Salesforce reported, “We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended.” This revelation casts a spotlight on the critical importance of proper configuration and security protocols within cloud-based environments.

The threat group involved in these cyberattacks has been employing a modified version of an open-source tool, initially developed by Mandiant, named Aura Inspector. According to Salesforce, this tool is being utilized to perform large-scale scans of the /s/sfsites/aura API endpoint. The purpose of this scanning is to identify vulnerable CRM objects and extract data from misconfigured endpoints. Data extracted during these scans, including personally identifiable information such as names and phone numbers, is frequently repurposed for subsequent social engineering schemes and vishing (voice phishing) attacks.

An alarming aspect of this situation is the claim made by the ShinyHunters group, which has taken responsibility for the ongoing cyber campaign. In screenshots shared on their leak site via X (formerly known as Twitter), the group asserts that it has successfully breached “several hundreds” of companies, including approximately 400 websites and 100 “high-profile companies.” This assertion supports Salesforce’s concerns that the compromised contact details obtained through website intrusions are being utilized for more substantial attacks, including social engineering, network intrusions, and extensive data theft.

Salesforce has been keen to clarify that the vulnerabilities being exploited are not due to flaws within the platform’s security itself. Instead, the company emphasizes that these are risks stemming from customer-configured guest user settings. This distinction is crucial for users of the platform to understand as it places the responsibility of safeguarding data predominantly on the configurations set by the organizations themselves.

In light of this serious situation, Salesforce has urged its Experience Cloud customers to take immediate action, especially if they utilize the guest user profile with permissions that grant public access to sensitive objects and fields. Specifically, the company recommends that these customers take proactive measures, including:

1. Auditing Guest User Permissions: Organizations should enforce a least privilege access model, limiting guest user profiles to the "absolute minimum" objects and fields necessary for website functionality.

2. Setting Default External Access to Private: It is essential for all objects to have their default external access configured to "private" to mitigate potential risks.

3. Adjusting Site Settings: Customers are advised to uncheck the options allowing guest users to access public APIs and ensure "API Enabled" is unchecked in the guest user profile’s System Permissions.

4. Disabling Unnecessary Visibility Options: By unchecking "Portal User Visibility" and "Site User Visibility" in Sharing Settings, organizations can prevent guest users from enumerating internal organization members.

5. Disabling Self-Registration: If there is no need for unauthenticated visitors to create accounts, organizations should disable self-registration to limit exposure.

6. Reviewing Aura Event Monitoring Logs: A careful examination of Aura Event Monitoring logs for any unusual access patterns is recommended as part of the security review process.

The ShinyHunters group has a notorious history, having previously targeted Salesforce customers with multiple connected campaigns in the past year. Their repeated attacks underline the importance of vigilance and the necessity for organizations to actively manage and secure their cloud environments.

In conclusion, the announcement from Salesforce serves as a crucial reminder for organizations that utilize the Experience Cloud platform. There is an imperative need for continuous monitoring, regular audits, and proper configuration management to safeguard against potential data breaches and cyberattacks. Given the rise in sophisticated cyber threats, organizations must remain proactive in strengthening their security protocols to protect sensitive information and maintain the trust of their customers.

Source link