Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

UNC6395 campaign aims to exfiltrate Salesforce data via compromised OAuth tokens

Redazione RHC : 27 August 2025 12:58

A sophisticated data exfiltration campaign targeting companies’ Salesforce instances was conducted, resulting in the exposure of sensitive information from several organizations. This occurred through compromised OAuth tokens associated with the third-party Salesloft Drift application.

The threat actor, identified as UNC6395, collected credentials and sensitive data between August 8 and August 18, 2025. This demonstrated significant knowledge of operational security procedures, as SOQL queries were run against multiple Salesforce objects.

UNC6395 ran systematic Salesforce Object Query Language (SOQL) queries to enumerate and extract data from critical Salesforce objects, including cases, accounts, users, and opportunities. The report comes from Google Threat Intelligence Group that the threat actor used compromised OAuth access tokens and refresh tokens from the Salesloft Drift application to authenticate to the targeted Salesforce instances.

Salesloft stated that the attacker specifically targeted AWS access keys (AKIA identifiers), passwords, Snowflake credentials, and other Sensitive authentication materials stored in custom fields and standard Salesforce objects.

UNC6395 leveraged legitimate OAuth authentication mechanisms to gain unauthorized access, bypassing traditional security controls and making detection particularly difficult for affected organizations.

Salesforce and Salesloft responded by revoking all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector. Post-exfiltration analysis revealed that the actor searched the extracted data for patterns matching credential formats, indicating a primary goal of credential harvesting rather than traditional data theft.

This attack vector leverages the OAuth 2.0 authorization framework, which allows third-party applications to access Salesforce data without directly exposing user credentials. The actor demonstrated technical sophistication by running COUNT queries to assess data volumes before exfiltration:

The Drift application was subsequently removed from the Salesforce AppExchange pending a full security review.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli