Skip to content

Klue OAuth Breach Exposes Salesforce Data to Icarus Extortion Group

A recent security incident affecting market intelligence platform Klue has allowed threat actors to steal OAuth tokens used to connect to customers’ Salesforce environments, according to a statement from the company’s CEO. The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations.

Klue CEO Jason Smith confirmed that the company discovered unauthorized activity on June 12 affecting part of Klue’s integration infrastructure. “On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure. Since then, we’ve been working alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on,” wrote Smith.

The company says there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third-party integrations. Klue claims it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. The company also confirmed it engaged CrowdStrike to assist with the response.

ReliaQuest and Huntress found that the attackers used stolen OAuth credentials associated with Klue integrations to access customer Salesforce environments and conduct large-scale data theft. ReliaQuest observed attackers generating OAuth tokens and using Python scripts to query Salesforce’s API for extended periods, as data was stolen. Huntress later disclosed that its own Salesforce environment was affected by the Klue breach and that the stolen data included business contacts, sales communications, pricing information, and other records.

While BleepingComputer and Huntress previously linked the incident to the Icarus extortion operation, the threat actors have now publicly claimed responsibility on their data leak site. “As you’ve probably already heard, Klue.com has been impacted by us recently. A number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated,” reads the Icarus post.

The threat actors went on to pressure Klue and affected organizations to contact them through the Session messaging platform to prevent the leaking of stolen data. The post comes after BleepingComputer previously reported that the attacks were linked to Icarus, after sources shared extortion emails sent to affected organizations. Huntress also independently connected the operation to Icarus through Session Messenger IDs used in the extortion emails and the group’s data leak site.

Since then, additional victims have disclosed that they were affected by the attacks, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. Almost all say the incident led to the theft of data from their Salesforce instances and did not affect their platforms, infrastructure, payment information, or internal systems.

Several organizations warned that the stolen business contact information could be used in follow-on phishing, social engineering, and extortion campaigns and urged customers to be vigilant.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *