Gainsight is investigating suspicious API activity through its Salesforce-integrated applications after Salesforce detected non-allowlisted API calls and revoked related access tokens, temporarily disabling several integrations and prompting other vendors to disable connectors. Analysis links some involved IPs to a previous UNC6040 campaign and to malware families including SmokeLoader and Vidar, underscoring supply-chain risk from trusted SaaS integrations. #Gainsight #UNC6040
Keypoints
- Salesforce detected suspicious API calls from non-allowlisted IPs on November 19, triggering immediate revocation of Gainsight access tokens and restricted integration functionality.
- Three unnamed customers are suspected to have been impacted; Gainsight services such as Customer Success, Community, Northpass, Skilljar, and Staircase were temporarily unable to read/write Salesforce data.
- Other platforms (Zendesk, Gong.io, HubSpot) proactively disabled related CS connectors to limit potential exposure.
- IOC analysis found IPs (e.g., 109.70.100[.]68, 109.70.100[.]71) previously linked to an August 2025 UNC6040 campaign and observed use of Tor exit nodes and commodity proxy/VPN infrastructure.
- Malware samples from commodity families — including SmokeLoader, Stealc, DCRat, and Vidar — were observed communicating with the identified infrastructure.
- Gainsight has rotated credentials and restricted infrastructure access; customers are advised to revoke/rotate OAuth tokens, review logs, apply allowlists, enforce MFA, and isolate/reauthorize integrations.
MITRE Techniques
- [T1078 ] Valid Accounts – Abuse of OAuth tokens, API keys, and service accounts to access CRM data. (‘OAuth tokens, API keys, and service accounts enable persistent access to enterprise CRM data’)
- [T1071 ] Application Layer Protocol – Malicious activity performed via API calls to Salesforce. (‘Salesforce detected suspicious API calls.’)
- [T1090 ] Proxy – Use of Tor exit nodes and commodity proxy/VPN infrastructure to mask source of connections. (‘Most of the IP addresses identified are Tor exit nodes or commodity proxy/VPN infrastructure’)
- [T1110 ] Brute Force – Infrastructure tied to histories of brute-force activity used against targets. (‘…abuse for malicious activities, including scanning, brute-force attacks, and web exploitation.’)
- [T1190 ] Exploit Public-Facing Application – Web exploitation activities observed in conjunction with the infrastructure. (‘…abuse for malicious activities, including scanning, brute-force attacks, and web exploitation.’)
- [T1041 ] Exfiltration Over C2 Channel – Infrastructure previously used to exfiltrate sensitive CRM data in a related campaign. (‘compromised Salesforce CRM environments to exfiltrate sensitive data’)
Indicators of Compromise
- [IP Addresses ] sources of suspicious API calls and reuse from prior campaigns – 109.70.100[.]68, 109.70.100[.]71
- [Malware samples ] families observed communicating with identified infrastructure – SmokeLoader, Vidar, and 2 more families (Stealc, DCRat)
Read more: https://www.recordedfuture.com/blog/salesforce-gainsight-security-incident