Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Zscaler Data Breach: Lessons Learned About the Evolution of SaaS Threats

Ada Spinelli : 2 September 2025 11:45

Zscaler’s recent confirmation of a data breach resulting from a supply chain attack provides a case study in the evolution of threats against complex SaaS ecosystems. The attack, attributed to the APT group UNC6395, exploited vulnerabilities in the handling of OAuth credentials and API trust model in integrations between third-party applications and cloud platforms.

According to initial analysis, the entry point was the abuse of the Salesloft Drift-Salesforce integration. The actor exfiltrated valid OAuth tokens, allowing direct access to Salesforce endpoints without having to interact with traditional authentication systems (e.g., MFA or session cookies).

This vector exploits an inherent weakness in the OAuth protocol: bearer tokens. A bearer token, if stolen, grants full access until its expiration, regardless of the context in which it is used. Once the OAuth bearer token is obtained (e.g., through log theft, memory dumps, or interception),

it can be reused in another session, from another device, or from another network, without needing to know the password or pass multi-factor authentication. In practice, the stolen token becomes a “valid passport” until it expires.

The attackers then orchestrated automated enumerations via Python scripts, with massive queries to the Salesforce APIs, obtaining datasets containing emails, phone numbers, and other business contact information.

TTP Analysis

  • Initial Access: Exploitation of SaaS integration (Salesloft Drift → Salesforce).
  • Credential Access: Exfiltration of OAuth tokens through targeted attacks on logs or compromised CI/CD environments.
  • Defense Evasion: Use of valid tokens to avoid alerts about anomalous logins or failed MFA attempts.
  • Collection: Mass scraping via Python script (indicator of automation and consolidated infrastructure).
  • Exfiltration: Moving datasets to C2 infrastructure, likely deployed on legitimate cloud providers to smear traffic.

This approach demonstrates a high level of operational maturity, with a clear focus on stealth persistence and masking in SaaS operational noise.

Zscaler confirmed that the compromise was limited to the Salesforce environment and not to core security systems; The exfiltrated data included business contact information, with no direct impact on network infrastructure or SASE services; no manipulation of configurations or executable code was detected.

However, even seemingly “low-impact” data can provide a privileged basis for future spear-phishing operations against customers and partners, exploiting trust in the Zscaler brand.

Architectural Considerations: Weaknesses of the SaaS Model

This incident confirms known but often overlooked critical issues:

  • OAuth tokens as a single point of failure: Without rapid rotation mechanisms, rigorous scoping, and contextual binding, they become equivalent to static credentials.
  • API Exposure: SaaS platforms exposed via APIs often lack granular rate-limiting and anomaly detection, facilitating large-scale scraping.
  • Third-Party Trust:Each integrated application expands the risk perimeter; The security posture of the entire ecosystem depends on its weakest link.
  • Visibility Gaps: OAuth logs and API audit trails are not always properly centralized in SIEM, reducing detection capabilities.

Technical Mitigations and Best Practices

  • Token hardening: Implementation of PKCE (Proof Key for Code Exchange) and token binding to reduce risk replay.
  • Aggressive rotation: Short-lived tokens, with refresh managed via secure channels.
  • Scope minimization: Limit token privileges to the minimum necessary (least privilege principle).
  • API monitoring: Anomalies in API calls (e.g., request spikes, massive queries) must trigger real-time alerts.
  • Zero Trust enforcement: Even for internal and SaaS applications, Each access must be dynamically verified based on context.

Conclusions

The attack on Zscaler is not just an isolated incident, but a wake-up call for the entire industry. SaaS architectures, by their interconnected nature, erode the traditional concept of the perimeter. In this scenario, resilience depends on the ability to proactively manage tokenization, API exposure, and third parties.

The Zscaler case demonstrates that even global security players are not immune to supply chain vulnerabilities. The future of cloud security requires a paradigm shift: treating every integration as a potential threat vector and applying security controls by design to every layer of the digital supply chain.

Ada Spinelli
Ada Spinelli, Cyber Threat Intelligence Analyst at Maticmind. Graduating in Computer Engineering at the Federico II University, member of the Dark Lab at Red Hot Cyber, passionate about APT tracking, malware analysis and cybercrime underground.

Lista degli articoli