Cybercriminals Exploit Salesforce Experience Cloud Misconfigurations Using Enhanced AuraInspector
Salesforce has recently identified a surge in malicious activities targeting misconfigured Experience Cloud sites. Threat actors are leveraging a customized version of the open-source tool AuraInspector to exploit these vulnerabilities, potentially accessing sensitive data without authentication.
Understanding the Threat
Experience Cloud, formerly known as Community Cloud, enables organizations to create branded spaces for customers, partners, and employees to interact. These platforms often include public-facing components accessible to unauthenticated users, managed through a guest user profile. If this profile is misconfigured with excessive permissions, it can inadvertently expose internal data.
AuraInspector, originally developed to help security teams audit access control configurations within the Salesforce Aura framework, has been modified by attackers. The enhanced version not only identifies vulnerable objects by probing API endpoints but also extracts data from misconfigured sites. Specifically, the tool targets the `/s/sfsites/aura` endpoint to exploit overly permissive guest user settings.
Salesforce’s Response
Salesforce has acknowledged the issue, stating that the threat actors are exploiting customer configuration settings rather than inherent vulnerabilities in the platform. The company emphasized the importance of proper configuration to prevent unauthorized data access.
While Salesforce did not explicitly name the threat group responsible, there is speculation that the notorious ShinyHunters group, also known as UNC6240, may be involved. This group has a history of targeting Salesforce environments through third-party applications.
Recommended Actions for Users
To mitigate the risk of unauthorized data access, Salesforce recommends the following actions:
1. Review Guest User Settings: Ensure that the Default External Access for all objects is set to Private.
2. Disable Public API Access: Prevent guest users from accessing public APIs.
3. Restrict Visibility Settings: Configure settings to prevent guest users from enumerating internal organization members.
4. Disable Self-Registration: If not required, turn off self-registration to limit unauthorized access.
5. Monitor Logs: Regularly check logs for unusual queries or activities that may indicate exploitation attempts.
Broader Implications
This campaign highlights a growing trend of identity-based targeting, where attackers exploit misconfigurations to harvest data such as names and phone numbers. This information can then be used in subsequent social engineering and voice phishing (vishing) attacks.
In a recent update, screenshots shared by Dark Web Informer on X (formerly Twitter) suggest that ShinyHunters claims to have breached several hundred companies as part of the Salesforce Aura Campaign. Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, confirmed awareness of these attempts and stated that they are collaborating with Salesforce and customers to provide necessary telemetry and support.
Conclusion
Organizations utilizing Salesforce Experience Cloud must prioritize the review and proper configuration of guest user settings to prevent unauthorized data access. By implementing Salesforce’s recommended actions and maintaining vigilant monitoring, companies can safeguard their data against these evolving threats.
