Executive Summary

On June 12^th, Klue identified unauthorized activity affecting their integration infrastructure with Salesforce, resulting in data being exfiltrated from Salesforce instances of multiple Klue customers. Klue confirmed that attackers used a compromised legacy credential tied to an integration service account to access its systems. Using that access, the attacker proceeded to harvest OAuth tokens that Klue uses to connect with third-party platforms, including Salesforce.

As part of their containment and response to the incident, Klue revoked affected credentials and disabled integrations across multiple connected platforms including HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, Slack, and Salesforce.

The incident affected several Klue customers, including high-profile cybersecurity firms, which have begun notifying affected organizations based on the exposed Salesforce data. Compromised Salesforce data typically consists of sensitive information such as contact names, email addresses, job titles, phone numbers, business addresses, pricing quotes, and sales account data.

While the attacker has demonstrated the ability to pivot across connected customer environments via OAuth tokens, there have been no public reports at the time of writing that lateral movement extended beyond initial Salesforce environments. Klue has revoked the affected credentials and tokens, and engaged CrowdStrike for ongoing incident response and forensic investigation.

Beazley Security Labs is continuing to monitor the situation and will update this advisory as additional details become available.

Affected Systems or Products

Any organizations with an active or historical Klue integration connected to Salesforce or other supported platforms should assume their Salesforce environments to be breached.

Organizations whose vendors or partners rely on Klue for competitive intelligence functions may also be indirectly affected and should monitor security notification channels for any required actions.

Indicators of Compromise

Organizations who are Klue clients should assume breach and immediately revoke and rotate service-account passwords, refresh tokens, client secrets, and OAuth grants associated with any Klue integrations. Once access is revoked, Beazley Security recommends that administrators enable IP allowlisting on third-party integration accounts to their known addresses wherever possible to reduce the risk of data exfiltration for other Salesforce integrations.

In addition, Klue Clients should review third-party OAuth integrations for any unknown or unauthorized connections established after June 12^th. For organizations with a Salesforce integration activated in Klue, review API query logs against the /services/data/v59.0/ endpoint for unusual activity and audit any Salesforce OAuth integrations for any unknown or unauthorized accounts created since that date.

ReliaQuest identified the following IP addresses as destinations for exfiltration in their findings:

• 

  138.226.246[.]94
• 

  212.86.125[.]24
• 

  213.111.148[.]90
• 

  94.154.32[.]160

Technical Details

The compromise of Klue originated from a legacy credential created for an integration prototype that remained active after the project ended. A threat actor discovered the credential and used it to gain access to Klue’s environment to pivot into customer integrations. Once in, the attacker deployed code designed to harvest OAuth tokens used by Klue to connect to Salesforce customer platforms. Using the stolen OAuth tokens, the attacker was able to authenticate to affected Salesforce environments and access CRM data directly.

Attribution for the attack remains unclear. On the 17^th, ReliaQuest published information identifying the specific post-access script behavior and tentatively identified ShinyHunters as the attacker. A few days later on the 21^st, ShinyHunters posted on their Telegram channel claiming ownership of the Klue attack, highlighting their exfiltrated Salesforce data. In contrast, Huntress independently attributed the attack to the newly emerged Icarus extortion group with high confidence, based on indicators within their own compromised environment. Since then, Icarus has added Klue to its Tor-based leak site, claiming responsibility for the attack and soliciting victims to contact them directly to prevent posting the stolen data.

Figure 1. Screenshot of Icarus site

Beazley Security Labs will continue to monitor the situation and update this advisory as relevant details become available.

How Beazley Security is responding

Beazley Security is actively monitoring the evolving situation and assessing potential impact across our vendor ecosystem.

For clients with SaaS platforms logging to our MXDR solution, we are reviewing available telemetry for indicators of compromise associated with this incident.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• 

  https://klue.com/blog/an-update-on-recent-klue-security-incident

• 

  https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft

• 

  https://status.salesforce.com/generalmessages/20000257

• 

  www.huntress.com/blog/klue-breach-investigation