Transcript
A (0:04)
Hey, everyone, and welcome to Seriously Risky Business. My name is Amberly Jack, and this is the podcast here at Risky Biz, all about cybersecurity policy and intelligence. And in just a moment, I will bring in Tom Uren, our policy and intelligence editor. But first up, I would like to thank the William and Flora Hewlett foundation for supporting Tom's work here at Risky Biz and also Lawfare, who syndicate his newsletter and publish it on the Lawfare Media website. And finally, we do have a corporate sponsor this week, Trail of Bits. So big thanks to them for that. And Tom, G'.
B (0:34)
Day.
A (0:34)
Thank you for joining me.
B (0:36)
G', day, Amberly. How are you?
A (0:38)
Pretty good, thanks, Tom. And just been reading through your newsletter here and really keen to talk to you about the Salesloft Drift breach. And you've kind of given a bit of a rundown on what's happened in the newsletter. And you've said there this is a great case study of the. The kind of sprawling impact that a breach on a single service provider can have. And I think you even said in the newsletter, single impact, but massive blast radius. So I guess to start with, Tom, what's the big deal here? Why is this a great case study and what is the story here?
B (1:13)
Yeah, yeah. So I think over the last little while, I've noticed that there's this trend of it's not hacking a device. And then traditionally you would pivot to other places within the network, you'd escalate to get higher privileges, you'd get to control the whole network. That's traditional hacking that cybercriminals or states would do. This is much more, let's get an authentication token and just use the authorities or privileges that that token has to move through the network. So there's no compromise of boxes, there's no exploits. There's none of that. And that's been going on for a while. But this has turned into a great case study because there's so many affected third parties. Usually what happens is in this type of incident, there's a single company that's most directly affected. They very rarely go through the nuts and bolts of what actually went on. So the story here is that Salesloft Drift is an AI chat agent, and it's integrated often into Salesforce that many companies use. And this week we learned that the way that the attacker in this broader breach, which I'll talk about a bit more, got in, is, first of all, they compromised Salesloft's GitHub. So Salesloft said that they were somehow able to move from their GitHub account into their AWS environment and they were able to get some sort of authentication token. And with that they were able to compromise all of the Salesloft customers who'd integrated Salesloft Drift into their Salesforce. So the sort of chain ideal the chain is GitHub, Salesloft, GitHub, Salesloft AWS Environment, and then to all of Salesloft Drift's customers who'd integrated it. And so that meant that they had access to a Google response incident response person who's handling incident response for Salesloft said potentially hundreds of companies. And now what makes this interesting is that as I said, usually when it's a single company they're pretty tight lipped about actually went on. In this case, one of the affected companies was client Cloudflare and they've produced quite a detailed blog post about the exact going ons and what the threat actor in this case did. And so now we have the, so we have the whole incident laid out from not, not entirely laid out, but we've got the. A good overview of the whole incident from GitHub through to what they did at the compromised customers Salesforce instances. So Cloudflare says that they spent quite a bit of time, several days enumerating what was available, how Cloudflare managed their customer interactions, like the processes involved, how much data was there, what data was available. They even talk about exploring the API limits. So the limits where if the threat actor tried to gobble too much data, they would get pinged. So this is actually like sounds like quite a carefully carried out operation. It wasn't just smash and grab and get everything. And the threat actor understood Cloudflare's Salesforce environment and then it sucked up all the data it could as quickly as it could, understanding those rate limits so that it didn't get pinged immediately. And it turns out that it was able to get what are called customer case objects. So that includes, it's kind of analogous to an email. So it included the subject line, the text that customers and Cloudflare had shared back and forth. So the sort of communications, but it didn't include files or attachments. Now in those communications Cloudflare said that it found 104 API keys. So, so in the course of normal discussion with their customers, people had shared, you'd call them secrets or authentication tokens that could allow the threat actor to do something else. Possession of those would give the threat actor some ability to do something somewhere else. So we've gone from the compromise of threat Salesloft's GitHub to potentially the compromise of all sorts of different things. So depending upon the company that's affected, it could have who knows what, like, you know, depending upon what they talk to with their customers and what customers and they paste into that chat. So it could be, you know, passwords, AWS keys, who knows? So it's become a potentially very, very broad, quite unscoped. Like it's hard to know how that would flow because there would be some customers where they never talk about that sort of stuff and so they're, you know, no keys, no passwords, that's okay. And other companies where maybe Salesforce is used to handle that material all the time. And so I thought this was just a classic example that because Cloudflare and Salesloft have been more or less, they've revealed enough detail that we've got this good picture that it felt like a case study that was worth writing about.