Salesforce Alerts on ShinyHunters’ Exploitation of Experience Cloud Sites
Salesforce has issued a critical warning regarding an active threat campaign orchestrated by the notorious hacking group ShinyHunters. This campaign targets misconfigured Experience Cloud sites, exploiting overly permissive guest user settings to access sensitive data across numerous high-profile organizations.
Understanding the Threat
Experience Cloud, a platform enabling businesses to create branded digital experiences, allows guest users—unauthenticated visitors—to access public-facing data. However, when guest user profiles are misconfigured with excessive permissions, they can inadvertently expose internal records not intended for public viewing.
ShinyHunters has been actively scanning public Experience Cloud sites using a modified version of Aura Inspector, an open-source tool originally developed for security auditing. While the standard tool identifies data exposure risks, the group’s customized version actively extracts data by probing exposed API endpoints. This method enables attackers to query Salesforce CRM objects directly, harvesting sensitive information without authentication.
Scope of the Attack
Reports indicate that ShinyHunters has compromised up to 400 websites and approximately 100 high-profile companies. The stolen data often includes personal information such as names and phone numbers, which can be leveraged for targeted social engineering and voice phishing attacks. Additionally, the group employs extortion tactics, threatening to publish the exfiltrated business data on dark web leak sites if ransoms are not paid.
Salesforce’s Response and Recommendations
Salesforce emphasizes that this issue does not stem from a vulnerability within its platform but rather from customer misconfigurations. To mitigate the risk, Salesforce advises administrators to adopt a least privilege access model and implement the following defensive actions:
– Disable Public APIs: Uncheck the setting that allows guest users to access public APIs, effectively closing the targeted Aura endpoint to unauthenticated queries.
– Audit Guest Profiles: Review and restrict guest user access to the minimum objects and fields necessary for site functionality.
– Set Defaults to Private: Ensure that the default for external object access is set to private, preventing guest users from viewing records without explicit sharing rules.
– Restrict Internal Visibility: Disable portal and site user visibility settings to prevent attackers from enumerating internal organization members.
– Disable Self-Registration: If public account creation is not essential, turn it off to prevent attackers from escalating their access from a guest tier to an authenticated session.
Broader Implications
This incident underscores the critical importance of proper configuration and access control within cloud platforms. Misconfigurations can serve as entry points for threat actors, leading to significant data breaches and associated risks. Organizations must remain vigilant, regularly auditing their configurations and access controls to ensure they align with security best practices.
Furthermore, the tactics employed by ShinyHunters highlight a growing trend among cybercriminals to exploit third-party integrations and misconfigurations rather than direct vulnerabilities within platforms. This approach allows attackers to bypass traditional security measures, emphasizing the need for comprehensive security strategies that encompass all aspects of an organization’s digital ecosystem.
Conclusion
Organizations utilizing Salesforce Experience Cloud must act swiftly to audit and secure their environments. By implementing the recommended defensive actions and maintaining a proactive security posture, businesses can protect themselves against this ongoing threat campaign and future attacks that exploit similar misconfigurations.
