Identity

ShinyHunters group exploits OAuth trust, prompting Microsoft security upgrades

Tech Radar reports that the ShinyHunters cybercrime group has developed a sophisticated method to breach corporate Salesforce environments by exploiting OAuth trust, leading Microsoft to implement new security upgrades.

The ShinyHunters group targeted Salesforce users by tricking them into authorizing a malicious Salesforce Data Loader application, which then requested OAuth permissions. This allowed attackers to access Salesforce data through legitimate APIs, making their activity appear normal. Reports suggest up to 700 victims were affected over a year-long campaign. The attackers evolved their tactics by compromising third-party SaaS providers integrated with Salesforce, such as Salesloft's Drift integration, Gainsight, and Klue. By stealing OAuth tokens or integration secrets from these vendors, ShinyHunters gained access to hundreds of downstream customer Salesforce environments without direct interaction.

Microsoft has responded by enhancing Microsoft Defender for Cloud Apps with richer telemetry for near-real-time detection and improved governance over OAuth-connected applications. These upgrades aim to provide better visibility into connected applications, detect suspicious API and OAuth behavior, and strengthen the management of connected apps through permission analysis and risk scoring. Microsoft emphasized that the attacks did not exploit a Salesforce vulnerability but rather abused trusted OAuth relationships.

Source: Tech Radar

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds