B (14:36)

We're very blessed. A lot of organizations trust us to assess the security of their data and also to help them improve that, whether that be through using our software or even just meeting with us. And our whole go to market strategy is around doing what we call data risk assessments. And so as a result of that we get to zoom out and see, well, what do we see everywhere? Whether it's at a big bank or a small retail shop, or at a law firm or in fashion or in manufacturing or in defense. Like what is ubiquitous across all of those areas. And when it comes to security in the cloud, a lot of people make the same mistakes. And when we think about Salesforce, this is one of those areas where it's super common for organizations to even outsource their Salesforce to a third party provider and have either no in house Salesforce expertise or simply not even know like what it is or it's used for on the security team. And one of the things I always say back to that is, well, if there was an incident there, are you going to call the third party or are they still coming to the SOC and IR team? Right.

A (15:39)

I mean it's a really interesting conundrum, I guess I could say. Correct me if I'm wrong here, but my understanding is that there can be a lot of frustration, mystery, black magic when it comes to Salesforce in general. It can be a black box for folks and for non technical people can, can feel almost impenetrable. Am I off base there?

B (16:09)

No. And people, the Salesforce means different things to be from people. They have different products and different companies that they've bought and integrated over time. So there, there is like healthcare software that runs on Salesforce, there's order management software, there's ticket management software, there's you know, deal management software inside of Salesforce. So when you say the bigger Salesforce, it can mean a lot of different things to different people. And then unwinding how things like permissions, entitlements or permission sets, permission set groups is the sales terminology. Or even API privileges. Most people don't even know how to figure that out, let alone what it's supposed to look like. So you're spot on.

A (16:45)

Yeah, well, I mean let's talk about some of the potential vulnerabilities here before we dig into what in your research when you talked about the Shiny Hunters gang, can we still stay at the broad level and talk about some of.

B (16:59)

The potential things, the things that we found and we put out in our state of security report, for instance?

A (17:05)

Yeah, let's do it.

B (17:06)

Yeah. So one thing that we'll see a lot is that a lot of people have the ability to view and export all information. And you know, sometimes that's referred to as like godlike privileges. Right. Or these super admin like privileges. And that exists in lots of different applications. It could be in Salesforce, it could be in Box, it could be, it's less common in you know, IaaS like AWS or Google or even Azure Cloud Compute because you just don't give out those kinds of privileges. But it's pretty common in SaaS that we'll see that someone can do that. Another one is some of the apps like, I'm sure you and a lot of Your listeners use Microsoft 365, where you're able to create and share data via a link. A lot of people don't know this, but Salesforce allows you to do that too. And no one thinks about Salesforce the way that they think about Office 365, but the functionality of creating a link and sharing it to anyone on the Internet is there.

A (18:01)

So there's a lot of power under the hood that people aren't aware of. They don't know what they don't know.

B (18:09)

Yeah. And there's this bigger question about, like, posture management. So I think what ends up happening is people look at a SaaS application as being inherently scary. Social. Was that a $20 billion revenue company, like their big company? Right. They have. They have secure data centers. You can go and look at their website and see their trust information and how they take security seriously. But in this thing called the shared responsibility model, which is not pure to Salesforce, that's in any cloud provider that you do business with, you need to understand what's on you versus what's on them. And for Salesforce, they're going to secure their data centers, they're going to deliver you a secure connection to their website, but it's on you to configure your identities and your Salesforce records and attachments. Same as it would be like, let's say in Snowflake, the rows of your database and in your data lake and whether or not things are masked, these are configuration settings that are on you. And that's what makes this Shiny Hunters thing so, so interesting.

A (19:05)

And are these things specific to Salesforce or do they have their own peculiarities that present certain challenges that some of the other providers may not have? Or is this par for the course in this area?

B (19:21)

I'd actually say, I mean, yes, Salesforce has a lot of uniqueness that makes permissions management very difficult. But let's zoom out from that and talk about cloud and SaaS, posture management in general. What is the issue that Shiny Hunters is, quote, unquote, exploiting? It's not actually a vulnerability per se. It's that people are allowed to make API queries or add and authorize applications at the user level to their Salesforce data. You can also do this in Microsoft 365. You can also do this in Box and Dropbox and Google Workspace where you're allowed to add apps and connect different apps to what you do. So in this case, Shiny Hunters is, you know, targeting high profile companies they're posing to be, you know, it or security people. They're convincing people to authorize these applications into their tenants which then harvest and exfiltrate data. So when we tear that apart, there's a few things that they're getting wrong. One, that user has the ability to add these apps. That's problem number one. Two, the permissions that that user had are probably too broad. We call that Averonus a big blast radius. So that means not only did they add this app, but this bad app has the same privileges that they do. And maybe they have view all or export all or maybe they have API access with an unlimited amount of API tokens that could be in any application. Lots and lots of SaaS apps have all these features. It's just that Salesforce and just how many different ways there are to use it. People don't often know how to get to that least privilege or that small blast radius. And so things are generally open or like I mentioned before, Salesforce's uniqueness is it is very often managed by a third party and the third party is just trying to keep it running and keep your business running. They're not necessarily thinking about am I keeping you from having bleed over from one object type to another?

A (21:08)

Yeah. What about Shiny Hunters themselves? I mean for folks who may not be familiar with them, how do you describe that specific group?

B (21:15)

Yeah, there's been a lot of talk associating Shiny Hunters as like a branch or a carve out of scattered spider, which we all know has been targeting retailers and insurance companies. They've been like the hottest threat actor on the scene this summer. I even spoke about them in my RSI say talk for instance. And what's happening is they're using social engineering in order to impersonate IT people or help desk people. Now the methods that they use are changing for apps. What got Google was they got someone to authorize a malicious application like a data loader. Right. And then they exfiltrated data. But they're also doing things like getting into someone's okta or getting into someone's office365 or getting into their snowflake or getting into their servicenow. Like there's other applications that get targeted because ultimately when you compromise an identity and you assume control over an identity, the way that authentication works on the Internet is you have a lot of single sign on I'm sure, like in like yourself and your listeners, when you click on a website, you don't log in every time the credentials are cached. It auto passes the token that you already have and you log into that website. Well, when an attacker compromises you or they compromise your device, they get to do that same thing. They get to log in as you everywhere. And that's what makes, you know, Scattered Spider and Shiny Hunter so successful, is they are simply targeting users and they are getting users to do things with a big blast radius that leads to a data breach. They are exploiting that user having too much access or having misconfigured API credentials or having the ability to authorize applications on their tenant. And so it's actually quite novel versus quite sophisticated. That's the success behind their campaign is that what they're doing is novel and they're targeting large companies with lots of entry points.

A (23:02)

Is there a sense that Shiny Hunters is specifically targeting organizations that are using Salesforce?

B (23:09)

I mean they've had a lot of success there, but a lot of the threat intelligence is tying them to kind of a branch out of Scattered Spider who just seems to be shifting industries and shifting applications to target. So I think it's a target rich environment and when the Eye of Sauron moves, it's successful. Right. So they've shifted industries a few times, they've shifted regions. They started in the UK for instance. I don't know if you remember all the grocery stores that were compromised in the UK earlier this summer, which I talked about on my podcast, State of Cybercrime. But there's, there seem to be, like I said, the Eye of Sauron seems to be shifting to different places and it looks like right now it's focused on Salesforce and very large companies. I mean, Google being a massive, massive company.

A (23:50)

Yeah. What do you make of Shiny Hunter's success with social engineering, of that being kind of in my mind the core of their success?

B (24:02)

Yeah, it's 2025. We, we our users and you know, identities being compromised. It's still the most likely way that we're going to have a data breach. And it's still one of the hardest things to defend against. Can we really blame them? You know, yes, security awareness can help, but I think anybody could be fooled, even the security researcher can be fooled by a well crafted ruse. And so I think this really highlights the need for what people would call zero trust or against low blast radius. Having detective controls and responsive controls, being able to know what happened when a breach happens, being able to respond to it quickly because the bigger the company you are, the bigger the amount, number of entry points that there are going to be shiny arms. Also, to find one weak linker, as I always like to say, an attacker only has to find one weakness to get in. And you as a security practitioner have to replace, have to do 100% right, 100% of the time. And as, as things get larger and more complex, that just makes the job harder. So we're in a time where the attackers have an upper hand.

A (25:05)

Well, let's talk about protecting yourself against these sorts of things. Can we, can we start with low hanging fruit? I mean, are there common things that people can do to just, you know, make, make the other people in the neighborhood maybe a little more attractive than them?

B (25:20)

Yeah, limit, like disable or limit the ability to share stuff via a link on the Internet to anyone in the public. Turn it off. Turn off the ability for your users to add applications to their tenants. Like what's the use case? Shouldn't that have to go through it anyway? Like, don't you. All the companies that allow this, we often find have very rigorous change control processes and very rigorous like application vetting processes. But yet when it comes to Salesforce or it comes to their Google workspace, they allow users to add apps. They wouldn't do that on your laptop. Why allow that same thing in a SaaS application? So I think it's about taking a lot of the security basics and extending them to your SaaS apps and to your cloud environments. It's these simple best practices. And then of course, you know, like give people access to just what they need to do their job and apply that principle everywhere, Take that little bit of extra time to do security the right way. And when these incidents happen, the damage will be very small, the liability will be capped. It won't be a, you know, a big massive data breach that could be reputation damaging or even like cripple your company's business or ability to do operations.

A (26:24)

What are some of the more sophisticated things that people can do to prevent these kinds of attacks?

B (26:29)

Yeah, I think on the preventative side, you can restrict connected app permissions in Salesforce, maybe only read only and maybe only to certain things. You can apply IP based logging controls. So like maybe people can only get to these apps if they're on your VPN as opposed to meaning they need to not only compromise an identity but also compromise a device. Right. So think about like the multifactor authentication. Multi factor authentication is another good one. And also make sure that like for Salesforce, for instance, that you're deploying Salesforce Shield and having some type of behavioral analytics run on top of that, that you're monitoring authentications and looking for compromised identities, like, you know, behavioral analytics or you know, taking like a detection strategy because you're not going to be able to prevent anything. But what you can't prevent, you can probably detect. And if you can't detect it, then you can at least limit the impact of what happens or you can react quickly. And so if you think you have that mindset of I'm going to prevent it, if I can't prevent it, I'm going to detect it, if I can't detect it, I'm going to respond to it judiciously like you're doing everything again. And so if you've got an enterprise app that your business runs on and you don't have a plan to do those three things, probably start there.

A (27:33)

I'm curious about something you touched on, which is that organizations who are otherwise secure, you know, organizations who would not allow their users to just install apps on their laptop, for example, seem to have this blind spot when it comes to Salesforce. Where do you suppose that comes from? What would generate that, that kind of oversight?

B (27:55)

Yeah, Salesforce is often not purchased by it. Salesforce does a tremendous job like hats off to their sales team at selling into like the head of sales, the CEO, the cfo. And so as a result of that, it often bypasses a lot of the standard software onboarding. And when you do a move from like another CRM to a Salesforce, it's a humongous project. And again, oftentimes run by a third party and you know, people, there's everyone's squeezing the budget or they want things to be done faster and security is usually the first thing to get overlooked. Or it's simply not in the wheelhouse of the third party provider that you hired to set up your Salesforce because of that shared responsibility model.

A (28:34)

Suppose I have a third party provider. I mean, what kind of questions should I be asking them?

B (28:39)

Can people in my Salesforce share data via links? Can users connect via API? Can users view and export all? How many super admins do I have? Can users add connected apps into their Salesforce? Is multi factor authentication set up? Is IP based logon restrictions set up? What public sites do I have available? And if everything I'm saying sounds very overwhelming, you could go to varonis.com and ask for a free Salesforce data risk assessment. Us about 15 minutes to get connected to your salesforce and answer all those questions for you with no obligation to move forward. But there are a lot of lot of ways that you could also assess it yourself if that's you know above and beyond what your ability to influence things in your organization is.

A (29:26)

That's Matt Radelec, VP of incident response, Cloud operations and Sales engineering at Veronica and now a word from our sponsor, Threat Locker, the powerful Zero Trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application control containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. And finally, Microsoft's co pilot is supposed to make life easier. Summarize a file here, draft an email there. But it also came with a curious trick. It could fetch files without leaving any record in the audit log. For security teams and compliance officers, that's not a feature, that's a horror movie. Researcher Zach Korman found the flaw and responsibly reported it, only to discover that Microsoft's bug handling process was frustratingly opaque. The company quietly patched the issue, labeling it important rather than critical, and decided no CVE or public disclosure was necessary. For organizations bound by HIPAA or other regulations, that could be a major problem. For everyone else, it's a reminder that Copilot may be clever, but Microsoft's communication strategy could use some debugging of its own. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting insights through the end of August. There's a link in the show notes. Please take a minute and check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

B (32:22)

Sa.