Klue, which provides competitive intelligence services, has been implicated in a supply chain compromise as an example of how trusted third-party integrations can lead to high-impact attacks on enterprise systems. As a consequence of the incident, which occurred on June 11, unauthorized access to Klue’s backend infrastructure allowed threat actors to deploy malicious code designed to harvest authentication tokens related to customer integrations, resulting in the theft of customer authentication tokens.
Security firms Huntress and Recorded Future confirmed that they were among the organizations affected by the breach, which has drawn attention across the cybersecurity industry. In addition, investigations found that the attackers accessed and extracted customer data through connected business platforms by leveraging compromised integrations.
An interconnected SaaS ecosystems present significant risks, where a single compromise can rapidly extend beyond the initial target and affect multiple downstream organizations, thereby increasing the risk associated with the ecosystem.
In addition, details indicate that the compromise went beyond Klue’s internal environment and into customer-connected cloud platforms via an unlawfully accessed legacy integration credential.
Threat actors accessed Salesforce instances by leveraging the credential on June 12 to synchronize customer data across linked cloud environments, leading to unauthorized access to customer information.
Threat actors accessed Salesforce instances by leveraging the credential on June 12 to synchronize customer data across linked cloud environments, leading to unauthorized access to customer information.
Despite the fact that Klue has not revealed the exact number of individuals or organizations affected, multiple organizations, including Gong, Jamf, HackerOne, Insurity, OneTrust, Snyk, Sprout Social, Tanium, Huntress, and Recorded Future, have acknowledged exposure.
As a result of the hacking, the cybercrime group Icarus has claimed responsibility for the incident. If a ransom demand is not met, the stolen data will be released publicly.
As a result of the hacking, the cybercrime group Icarus has claimed responsibility for the incident. If a ransom demand is not met, the stolen data will be released publicly.
According to preliminary assessments, the accessed records primarily contain business-related information about customers, such as names, e-mail addresses, phone numbers, job titles, and some account details.
There has been an increasing trend for threat actors to target middleware and integration providers as strategic aggregation points, leading to a single compromised credential or service connection being used as a gateway into the cloud data environments of many downstream companies.
There has been an increasing trend for threat actors to target middleware and integration providers as strategic aggregation points, leading to a single compromised credential or service connection being used as a gateway into the cloud data environments of many downstream companies.
According to Klue, CrowdStrike has been engaged as part of its response efforts, and affected integrations have been suspended while containment and forensic investigations are ongoing. As containment efforts progressed, the operation footprint of the intrusion became increasingly apparent.
Upon discovering the compromise, Klue revoked all customer OAuth tokens and suspended integrations with various enterprise platforms, such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, as a means to prevent further unauthorized activity from taking place.
Upon discovering the compromise, Klue revoked all customer OAuth tokens and suspended integrations with various enterprise platforms, such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, as a means to prevent further unauthorized activity from taking place.
Upon further investigation, it was discovered that the attackers had used compromised integration access to extract extensive data through Salesforce’s REST API by leveraging compromised integration access. ReliaQuest researchers observed unusually high volumes of CRM queries over a 24-hour period. These included a concentrated burst of nearly 1,000 requests within 15 minutes and sustained extraction activity that lasted over six hours.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: