Drift attackers gained entry via a Salesloft GitHub account

Drift attackers gained entry via a Salesloft GitHub account

Briefly

"The Salesloft Drift breach that compromised "hundreds" of companies including Google, Palo Alto Networks, and Cloudflare, all started with miscreants gaining access to the Salesloft GitHub account in March. This new information comes from a Saturday update into the Mandiant-led investigation - Salesloft hired the incident response firm to determine the root cause and scope of the incident - and a Sunday alert that the integration between Salesloft and Salesforce has now been restored."

"We now know that crims got their initial access sometime in March. Between then and June, the attackers accessed the Salesloft GitHub account, downloaded content from "multiple" repositories, added a guest user, and established workflows. The postmortem doesn't say how the intruders gained access to the GitHub account. The Register has asked Salesloft about this and will update this story if we receive a response."

"It also doesn't attribute the attack to a specific gang, although Google (which owns Mandiant) previously blamed UNC6395 for the Drift-related breaches. UNC is the tracker Google uses for uncategorized threat groups, as opposed to nation-state attackers (APT) and financially motivated crews (FIN). If you're confused by all the gang names, see our explainer here. Cloudflare last week pinned the attack on a threat group it tracks as GRUB1 that aligns with UNC6395. And it's suspected that ShinyHunters, which Google says has some overlap with UNC6395, also played some role in the intrusions."