Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Palo Alto Networks Also Compromised via Salesforce and Drift

Antonio Piazzolla : 2 September 2025 22:27

In early September 2025, Palo Alto Networks confirmed it had been the victim of a data breach. The compromise did not affect its core products or services, but rather some internally used Salesforce instances due to an integration with the third-party Salesloft Drift app. The incident is part of a larger supply chain attack campaign conducted in August 2025 and once again demonstrates how SaaS integrations can be a significant weakness.

Between August 8 and 18, 2025, a threat actor identified by Google as UNC6395 exploited compromised OAuth tokens associated with the Drift app. These tokens allowed access to Salesforce instances without additional authentication, thus paving the way for the exfiltration of sensitive data.

Technically, the attack exploited:

  • Reusable OAuth tokens: The tokens, once compromised, provided direct access to the Salesforce API, without requiring additional authentication challenges.
  • Excessive permissions: The permissions granted to Drift were broad, including access to custom fields and support cases, thus expanding The exfiltrable data surface.
  • Query Automation: Python scripts performed massive queries against Salesforce SOQL, optimized to extract contact, internal note, and ticket data in bulk.
  • Anti-forensics: Attackers deleted query logs and manipulated access records to mask their presence.

Compromised Data

According to Palo Alto Networks, the stolen data primarily includes:

  • Company contact information (names, emails, phone numbers);
  • Internal sales data (leads, opportunities, pipelines);
  • Basic support information (support cases, ticket notes).

The greatest risk comes from the fact that support tickets may contain operational secrets such as:

  • API keys or temporary credentials shared with customers;
  • Internal URLs or public IPs of production systems;
  • Information on network architectures (e.g., firewall configurations, VPN);
  • References cloud integrations like AWS and Snowflake.

Palo Alto Networks’ Response

Once the suspicious activity was identified, Palo Alto Networks:

  • Immediately disconnected Drift from the Salesforce environment;
  • Initiated an internal investigation with the support of Unit 42 team;
  • Notified a small number of potentially more exposed customers;
  • Shared defensive guidelines with the community.

Salesloft and Salesforce responded by revoking the Drift app’s active OAuth tokens and temporarily removing the app from the AppExchange.

Operational Recommendations

Unit 42 and several security analysts have suggested immediate technical countermeasures:

  1. Revoke and regenerate OAuth tokens for all Salesforce integrations.
  2. Implement granular restrictions on the OAuth scopes granted to third-party apps.
  3. Monitor SOQL queries to detect unjustified bulk extractions.
  4. Enable advanced logging and archive logs in external systems to prevent manipulation.
  5. Segment access: restrict the use of SaaS apps to VPNs or controlled proxies.
  6. Rotate any credentials exposed in support tickets (e.g., AWS keys, Snowflake tokens, VPN credentials).

Possible attack scenarios

Data exfiltration from Salesforce isn’t an end point, but a springboard for more serious activities. The most likely scenarios include:

  • Credential stuffing and access to other environments: If stolen credentials (AWS, VPN, Snowflake) are not immediately revoked, attackers can use them to penetrate critical infrastructure.
  • Targeted spear phishing: Using contact data and ticket information, it is possible to build highly personalized and difficult-to-detect phishing campaigns.
  • Lateral movement: By leveraging architectural insights from In a support case, attackers can plan lateral movement toward internal environments.
  • Persistent access: Any stolen API keys could be used to establish backdoors in cloud services, maintaining access even after initial remediation.
  • Extortion and reputational damage: Threatening the publication of stolen data to extort money or damage the company’s reputation.

The Palo Alto Networks case demonstrates how a supply chain attack can have significant impacts even on leading cybersecurity companies. The weak link, in this case, wasn’t a core product, but a seemingly innocuous SaaS integration.

The key lesson is clear: Every third-party application connected to critical systems should be treated as a potential entry point. Adopting practices such as the principle of least privilege on OAuth scopes, external log analysis, and continuous rotation of sensitive credentials are becoming essential elements for reducing the attack surface.

In a context where supply chain attacks are becoming increasingly targeted and sophisticated, resilience requires focusing not only on core products, but also on all the integrations and application dependencies that exist within the corporate ecosystem.

Antonio Piazzolla
IT Infrastructure & Security Manager with more than 20 years of experience in complex business environments. In the Casillo Group, he deals with business continuity, security and innovation. Microsoft, VMware, Cisco and ITIL certified.

Lista degli articoli