Salesforce has urged Experience Cloud customers to audit their website configurations after reports that a notorious threat group has already stolen data from hundreds of companies.
The SaaS giant said that it had been tracking an increase in threat actor activity targeting misconfigurations of publicly accessible sites built using its Experience Cloud platform.
“Specifically, we have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,” it explained.
The group has been using a customized version of an open source tool originally developed by Mandiant (Aura Inspector) to perform mass scanning of the /s/sfsites/aura API endpoint. The tool apparently identifies vulnerable CRM objects and extracts data from misconfigured endpoints, Salesforce said.
“Data harvested in these scans, such as names and phone numbers, is often used to build follow-on targeted social engineering and vishing (voice phishing) campaigns,” it continued.
Read more on ShinyHunters campaigns: New Data Theft Campaign Targets Salesforce via Salesloft App.
Salesforce was at pains to point out that the threat actors are exploiting a “customer-configured guest user setting, not a platform security flaw.”
ShinyHunters Gives a Final Warning
The infamous ShinyHunters group has claimed responsibility for the campaign. In screenshots from its leak site published on X (formerly Twitter) it claimed to have breached “several hundreds” of companies.
It claims to have compromised around 400 websites and 100 “high-profile companies.”
That would suggest that it did indeed use the contact details cited by Salesforce and obtained via the website intrusions in order to perform follow-on social engineering, network intrusions and wider data theft.
Salesforce Urges Immediate Action
Salesforce claimed that any Experience Cloud customers that are using the guest user profile and have configured permissions “to allow public access to objects and fields not intended to be publicly available” could be affected.
It urged these customers to:
- Audit guest user permissions and enforce a least privilege access model to ensure these profiles are restricted to the “absolute minimum” objects and fields needed for the site to function
- Ensure the Default External Access for all objects is set to “private”
- Uncheck “Allow guest users to access public APIs” in site settings and uncheck “API Enabled” in the guest user profile’s System Permissions
- Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings to stop guest users from enumerating internal organization members
- If the site does not require unauthenticated visitors to create their own accounts, disable self-registration
- Review Aura Event Monitoring logs for unusual access patterns
ShinyHunters has a long track record of going after Salesforce customers, having targeted their instances on multiple occasions in connected campaigns last year.
