Gainsight Breach Incident Score: Analysis & Impact (GAI0502205112725)

In this Rankiteo incident briefing, we review the Gainsight breach identified under incident ID GAI0502205112725.

The analysis begins with a detailed overview of Gainsight's information like the linkedin page: https://www.linkedin.com/company/gainsight, the number of followers: 157947, the industry type: Software Development and the number of employees: 1100 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 473 and after the incident was 349 with a difference of -124 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Gainsight and their customers.

On 21 November 2023, Gainsight disclosed Data Breach, Unauthorized Access and Credential Compromise issues under the banner "Gainsight Data Breach via Salesforce Connected App".

Gainsight experienced a data breach after Salesforce flagged unusual activity involving its connected app.

The disruption is felt across the environment, affecting Salesforce Connected App, GSuite SSO (subset of customers) and HubSpot Integration, and exposing True.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Revoked All Access/Refresh Tokens (Salesforce), Disabled Salesforce Integration and Revoked HubSpot/Zendesk Connectors, and began remediation that includes Forensic Analysis Ongoing, Customer Support Teams Established and Town Halls Hosted for Affected Customers, and stakeholders are being briefed through Blog Post by CEO Chuck Ganapathi, Community Page Updates (Planned) and Direct Outreach to Affected Customers.

The case underscores how Ongoing (Forensic Analysis by Mandiant), with advisories going out to stakeholders covering Salesforce Security Advisory (Indicators of Compromise Shared) and HubSpot/Zendesk Connector Revocations.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Trusted Relationship (T1199) with high confidence (95%), with evidence including compromised Connected App (Gainsight Salesforce integration), and token Theft via Salesforce-connected app and Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), with evidence including exploitation of Salesforce Customer Instances via Gainsight app, and gSuite SSO login issues for subset of customers. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), with evidence including revoked all access and refresh tokens associated with Gainsight apps, and token Theft listed as attack vector. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Cloud Instance Metadata API (T1552.007) with moderate to high confidence (80%), with evidence including token Theft as attack vector, and revoked all access tokens tied to Gainsight’s apps and Steal Application Access Token (T1528) with high confidence (95%), with evidence including salesforce revoked all access tokens tied to Gainsight’s apps, and attack vector such as Token Theft. Under the Defense Evasion tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (85%), with evidence including unusual activity flagged by Salesforce suggests abuse of legitimate app access, and gainsight’s Salesforce integration still offline (evading detection) and Impair Defenses: Disable or Modify Cloud Firewall (T1562.007) with moderate to high confidence (75%), supported by evidence indicating disabled integrations with HubSpot, Zendesk as precaution (implies potential defensive bypass). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including data exfiltration such as true, and high-value targets such as Salesforce Customer Data and Data from Cloud Storage: Customer Data (T1213.002) with high confidence (95%), with evidence including exposed customer data via Salesforce-connected app, and 200+ potentially compromised Salesforce instances (GTIG). Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Cloud API (T1048.003) with high confidence (90%), with evidence including data exfiltration such as true via Salesforce API abuse, and shinyHunters extortion group linked to breach and Automated Exfiltration: Exfiltration to Cloud Storage (T1020.002) with moderate to high confidence (85%), with evidence including data breach with customer data leaks, and connected app exploitation suggests automated data extraction. Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating operational impact such as disabled integrations (no direct evidence of destruction), Resource Hijacking: Cloud Resources (T1496.002) with moderate to high confidence (70%), with evidence including disabled Salesforce integration pending investigation (resource abuse implied), and revoked HubSpot/Zendesk connectors (disruption of cloud services), and Data Manipulation (T1659) with lower confidence (40%), supported by evidence indicating no direct evidence, but extortion group (ShinyHunters) may manipulate data for leverage. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.