credential theft

google-warns-that-mass-data-theft-hitting-salesloft-ai-agent-has-grown-bigger

Google warns that mass data theft hitting Salesloft AI agent has grown bigger

AI, Biz & IT, chat agents, credential theft, Salesforce, salesloft drift, Security / /

Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts.

In response, Google has revoked the tokens that were used in the breaches and disabled integration between the Salesloft Drift agent and all Workspace accounts as it investigates further. The company has also notified all affected account holders of the compromise.

Scope expanded

The discovery, reported Thursday in an advisory update, indicates that a Salesloft Drift breach it reported on Tuesday is broader than previously known. Prior to the update, members of the Google Threat Intelligence Group said the compromised tokens were limited to Salesloft Drift integrations with Salesforce. The compromise of the Workspace accounts prompted Google to change that assessment.

“Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,” Thursday’s update stated. “We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

On Thursday, Salesloft’s security guidance page made no reference to the new information and instead continued to indicate that the breach affected only Drift integrations with Salesforce. Company representatives didn’t immediately respond to an email seeking confirmation of the Google finding.

Google warns that mass data theft hitting Salesloft AI agent has grown bigger Read More »

yearlong-supply-chain-attack-targeting-security-pros-steals-390k-credentials

Yearlong supply-chain attack targeting security pros steals 390K credentials

Biz & IT, credential theft, cryptomining, GitHub, npm, Security, supply chain attacks / /

Screenshot showing a graph tracking mining activity. Credit: Checkmarx

But wait, there’s more

On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments.

A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers.

A phishing email used in the campaign. Credit: Datadog

The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21.

Additional vectors discovered by Datadog. Credit: Datadog

Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.

“This increases their look of legitimacy and the likelihood that someone will run them,” Datadog said.

The attackers’ use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.

Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.

The ultimate motives of the attackers remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than security personnel to target. And if the objective was targeting researchers—as other recently discovered campaigns have done—it’s unclear why MUT-1244 would also employ cryptocurrency mining, an activity that’s often easy to detect.

Reports from both Checkmarx and Datadog include indicators people can use to check if they’ve been targeted.

Yearlong supply-chain attack targeting security pros steals 390K credentials Read More »