"Our Cyber Security Operations Center [CSOC] has been monitoring a campaign by a known threat actor group. Evidence indicates the threat actor is leveraging a modified version of the open source tool Aura Inspector - originally developed by Mandiant - to perform mass scanning of public-facing Experience Cloud sites. While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose, specifically the /s/sfsites/aura endpoint, the actor has developed a custom version of the tool capable of going beyond identification to actually extract data."
"The issue arises if these profiles are configured with enhanced privileges enabling a visitor - or cyber criminal - to directly query Salesforce CRM objects without having logged in. This setup is ill-advised and runs contrary to Salesforce's suggested configuration guidance."
Salesforce has alerted users to increased threat actor activity targeting Experience Cloud customers with overly permissive guest user configurations. The attacks stem from misconfigurations during setup rather than product flaws. ShinyHunters, responsible for prior social engineering campaigns against Salesforce Data Loader users, is leveraging a modified version of the open-source Aura Inspector tool to scan and exploit public-facing Experience Cloud sites. The custom tool extends beyond the original's identification capabilities to extract data by exploiting guest user profiles with enhanced privileges. These profiles, when misconfigured, allow unauthenticated visitors to query Salesforce CRM objects directly, contradicting Salesforce's recommended configuration guidance.
#salesforce-security #experience-cloud-misconfigurations #shinyhunters-threat-actor #guest-user-permissions #data-extraction-attacks
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]