Cyber Security News

ShinyHunters claims ongoing Salesforce Aura data theft attacks

BleepingComputer
ShinyHunters claims ongoing Salesforce Aura data theft attacks

Salesforce warns that attackers are scanning misconfigured Experience Cloud sites and abusing the /s/sfsites/aura API endpoint to let guest users query CRM data without authentication. The ShinyHunters gang claims to be exploiting a modified AuraInspector and custom tooling to steal data, while Salesforce says the issue stems from customer-configured guest settings rather than a platform vulnerability. #Salesforce #ShinyHunters

Keypoints

  • Attackers are exploiting misconfigured Experience Cloud guest-user profiles to access data via the /s/sfsites/aura endpoint.
  • Threat actors modified the open-source AuraInspector and created custom tools to mass-scan and exfiltrate records.
  • Salesforce advises auditing guest permissions, disabling guest API access, and removing the β€œAPI Enabled” setting from guest profiles.
  • Administrators should set external org-wide defaults to Private, disable Portal/Site User Visibility, and turn off unnecessary self-registration.
  • Mandiant and Salesforce are sharing detection guidance; orgs should monitor Aura Event Monitoring logs and designate a security contact.

Read More: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint