Summary:
Salesforce issued an alert on November 20, warning that it had identified unusual activity involving Gainsight-published applications connected to Salesforce. This prompted Salesforce to revoke access to all Gainsight applications and temporarily removed them from its AppExchange. Salesforce assessed that malicious activity may have enabled unauthorized access to its customers’ data through the app’s connection.

This latest incident could have affected Salesforce customer data three months after the Salesloft Drift hack. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce,” the Salesforce advisory reads.

Gainsight also disabled its connections with Hubspot and Zendesk as a precaution measure. In a later update, the customer support provider said it has engaged Google Cloud-owned Mandiant to assist in the forensic investigation.

Security Officer Comments:
On a dark web forum “DataBreaches[.]net, the Scattered Spider/ShinyHunters/Lapsus$ collective claimed they were responsible for the latest attack on Gainsight. The threat actors said they plan to launch another dedicated leak site if Salesforce does not comply with them. According to the threat actor, this data leak site will contain the data from both the Salesloft and Gainsight campaigns. In total, they claim this is almost 1000 companies. Additionally, the group advertised an upcoming ransomware as-a-service (RaaS) offering, allegedly launching on November 24.

Suggested Corrections:
The core vulnerability, according to the security advisory and expert commentary, lies in the use of stolen OAuth tokens and over-permissioned applications used by an integrated vendor to connect to a primary platform (Salesforce).

Since Salesforce and Gainsight have already taken internal actions, the following mitigations are steps that Salesforce customers and any organization relying on third-party SaaS integrations should take to protect themselves:

• Revoke and Re-Authorize Access: Immediately audit and manually revoke all active OAuth tokens and security access granted to the affected Gainsight applications (like the SFDC Connector) within your Salesforce environment.
• Enforce Principle of Least Privilege: Review the scope of permissions for all third-party SaaS integration apps. Limit them to the minimum necessary data and functionality required for the app to operate.
• Implement Token and Session Monitoring: Deploy monitoring tools to track and alert on unusual activity related to third-party app access, such as access from unexpected IP addresses or unusual data export volumes.
• Rotate Sensitive Credentials: Schedule the regular rotation and expiration of all long-lived access tokens, API keys, and credentials used by third-party applications.

Link(s):
https://status.salesforce.com/generalmessages/20000233