Datorama, a Salesforce Company Breach Incident Score: Analysis & Impact (DAT1804218112125)

In this Rankiteo incident briefing, we review the Datorama, a Salesforce Company breach identified under incident ID DAT1804218112125.

The analysis begins with a detailed overview of Datorama, a Salesforce Company's information like the linkedin page: https://www.linkedin.com/company/datorama, the number of followers: 19485, the industry type: Software Development and the number of employees: 95 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 752 and after the incident was 689 with a difference of -63 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Datorama, a Salesforce Company and their customers.

Salesforce recently reported "Unauthorized Access to Salesforce Customer Data via Gainsight Managed Package", a noteworthy cybersecurity incident.

Salesforce investigated an incident where unauthorized access to some customers’ data occurred through a Gainsight 'managed package,' a third-party connector.

The disruption is felt across the environment, affecting Salesforce Instances (via Gainsight Connected Apps) and Gainsight Managed Package, and exposing Account Data, Contact Data and Opportunity Data.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Invalidate and Rotate OAuth Tokens/Client Secrets, Enforce Reconsent for Affected Apps and Turn Off/Uninstall Unused Integrations, and began remediation that includes Tighten Connected App Policies (IP Restrictions, Re-Authentication, Least Privilege), Analyze Event Monitoring (EM) Logs and API Logs for Anomalies and Centralized Token Vaulting (Recommended), while recovery efforts such as Reauthorize Integrations Post-Remediation continue, and stakeholders are being briefed through Customer Advisories from Salesforce/Gainsight and Public Status Page Updates.

The case underscores how Ongoing (Salesforce and Gainsight investigating; extent of access and data exposure unclear), teams are taking away lessons such as Third-party SaaS connectors can serve as attack vectors even if the core platform is secure, OAuth token sprawl and overbroad permissions increase risk in multi-tenant cloud environments and Token theft and cloud-to-cloud compromise are significant threats, as warned by CISA, and recommending next steps like Audit and inventory all third-party connected apps, especially those with broad permissions, Enforce least-privilege access and short-lived tokens for OAuth integrations and Implement conditional access policies and DLP controls for SaaS connectors, with advisories going out to stakeholders covering Monitor updates from Salesforce and Gainsight and Prepare for potential reauthorization of integrations.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including exploitation of OAuth tokens linked to Gainsight-published applications, and compromised vendor tokens accessing Salesforce APIs and Trusted Relationship (T1199) with high confidence (90%), with evidence including third-party SaaS connector integrated through OAuth, and gainsight-managed package used for unauthorized access. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), with evidence including long-lived tokens enabled persistent access, and token sprawl in multi-tenant cloud environments. Under the Privilege Escalation tactic, the analysis identified Account Manipulation: Additional Cloud Roles (T1098.001) with moderate to high confidence (80%), with evidence including overbroad OAuth token permissions granted elevated access, and broad permissions enable lateral movement. Under the Defense Evasion tactic, the analysis identified Use Alternate Authentication Material: Application Access Token (T1550.001) with high confidence (95%), with evidence including exploitation of OAuth tokens to bypass authentication, and token theft used for unauthorized API access and Indicator Removal: Timeline Manipulation (T1070.006) with moderate to high confidence (70%), supported by evidence indicating insufficient monitoring of connected app activity suggests log tampering/evasion. Under the Credential Access tactic, the analysis identified Steal Application Access Token (T1528) with high confidence (95%), with evidence including compromised credentials (Gainsight) led to token theft, and exploitation of OAuth tokens for data extraction and Steal Web Session Cookie (T1539) with moderate to high confidence (75%), supported by evidence indicating long-lived tokens may include session persistence mechanisms. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (80%), with evidence including high-value targets such as Salesforce Customer Data (Accounts, Contacts, Opportunities), and attackers identified and exfiltrated specific data types and File and Directory Discovery (T1083) with moderate to high confidence (75%), supported by evidence indicating data exfiltration implies reconnaissance of accessible data structures. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including extract data from Salesforce instances via APIs, and account Data, Contact Data, Opportunity Data compromised and Data from Cloud Storage: Cloud APIs (T1213.002) with high confidence (95%), with evidence including salesforce APIs used to access and exfiltrate data, and connected apps to pivot into victims’ Salesforce environments. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), with evidence including data exfiltration via legitimate Salesforce APIs, and anomalous exports detected post-incident and Automated Exfiltration: Traffic Duplication (T1020.001) with moderate to high confidence (80%), with evidence including double extortion implies bulk data extraction, and hundreds of organizations affected suggests automated processes. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating double extortion threatened (though no encryption confirmed), Data Destruction (T1485) with lower confidence (20%), supported by evidence indicating no direct evidence, but extortion implies potential data manipulation threats, and Data Manipulation (T1659) with moderate to high confidence (70%), with evidence including reputational damage risk if data was altered or leaked, and regulatory scrutiny potential from exposed sensitive metadata. Under the Lateral Movement tactic, the analysis identified Account Manipulation (T1098) with moderate to high confidence (85%), with evidence including pivot into victims’ Salesforce environments via connected apps, and lateral movement enabled by broad OAuth permissions and Use Alternate Authentication Material: Web Session Cookie (T1550.003) with moderate to high confidence (75%), supported by evidence indicating cloud-to-cloud compromise suggests reuse of stolen sessions/tokens. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.