Third-party artificial intelligence chat agent Salesloft Drift had its OAuth tokens pilfered by the UNC6395 threat operation to exfiltrate troves of information from over 700 organizations using Salesforce systems as part of an attack campaign that ran from August 8 to 18, according to CyberScoop.
UNC6395 used the Salesloft token to infiltrate Drift-linked organization tokens before subsequently exploiting Salesforce tokens to exfiltrate Amazon Web Services access keys, Snowflake credentials, and VPN passwords, an analysis from the Google Threat Intelligence Group revealed. Both Salesloft and Salesforce have noted limited impact from the attacks, which concluded after access revocation on August 20, with the latter attributing the intrusion to the compromise of the app's connection and not to a core platform issue. Such an attack campaign was noted by AppOmni Chief Security Officer Cory Michal to exhibit elevated levels of discipline from the threat actors. "The attacker methodically queried and exported data across many environments... The combination of scale, focus and tradecraft makes this campaign stand out," Michal added.
UNC6395 used the Salesloft token to infiltrate Drift-linked organization tokens before subsequently exploiting Salesforce tokens to exfiltrate Amazon Web Services access keys, Snowflake credentials, and VPN passwords, an analysis from the Google Threat Intelligence Group revealed. Both Salesloft and Salesforce have noted limited impact from the attacks, which concluded after access revocation on August 20, with the latter attributing the intrusion to the compromise of the app's connection and not to a core platform issue. Such an attack campaign was noted by AppOmni Chief Security Officer Cory Michal to exhibit elevated levels of discipline from the threat actors. "The attacker methodically queried and exported data across many environments... The combination of scale, focus and tradecraft makes this campaign stand out," Michal added.





