In a recent cybersecurity incident, attackers exploited the Klue Battlecards integration to access sensitive data within Salesforce environments. Klue Battlecards is a competitive intelligence platform that synchronizes data with Salesforce, including battlecards and win/loss information. By compromising Klue’s integration service account credentials, the attackers generated OAuth tokens, enabling them to authenticate and interact with Salesforce’s REST API.
The attack unfolded in two distinct phases. Initially, the perpetrators conducted a slow extraction process, enumerating the organization’s object catalog and executing continuous REST API queries over nearly 24 hours. This method was designed to mimic legitimate integration traffic, thereby evading detection. Subsequently, the attackers shifted to a rapid extraction phase, issuing approximately 1,000 queries within a 15-minute window in one instance, and maintaining sustained extraction over six hours in another. This aggressive approach suggests a focus on high-value records or a response to time constraints.
The compromised data potentially includes account records, contact details, deal outcomes, and pricing information, depending on the permissions granted to the Klue integration within each organization. Salesforce has responded by disabling the Klue Battlecards app’s connection to its platform and is conducting a thorough investigation. The company emphasized that the breach did not result from a vulnerability within Salesforce itself but was due to the compromise of Klue’s integration credentials.
This incident bears similarities to previous attacks attributed to groups like ShinyHunters and UNC6395, known for targeting Salesforce OAuth tokens to extract data. However, specific attribution for this attack remains unconfirmed. Notably, the attackers employed Python-urllib user-agent strings and data-center hosting, differing from the tools and infrastructure used in prior incidents.
The breach underscores the inherent risks associated with third-party SaaS integrations, which often possess persistent and broad API access to sensitive data. These integrations authenticate with valid credentials, making it challenging to detect unauthorized activities. Organizations are advised to conduct comprehensive audits of their third-party integrations, enforce strict access controls, and monitor for unusual API activity to mitigate such risks.
This event highlights the critical need for organizations to scrutinize the security of third-party integrations within their systems. As attackers increasingly target these trusted connections, companies must implement robust monitoring and access management practices to safeguard sensitive data.
