Gainsight Breach Incident Score: Analysis & Impact (GAI1832518112125)

In this Rankiteo incident briefing, we review the Gainsight breach identified under incident ID GAI1832518112125.

The analysis begins with a detailed overview of Gainsight's information like the linkedin page: https://www.linkedin.com/company/gainsight, the number of followers: 157947, the industry type: Software Development and the number of employees: 1100 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 555 and after the incident was 535 with a difference of -20 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Gainsight and their customers.

On 20 November 2023, Gainsight disclosed Unauthorized Access, Data Breach and Third-Party Risk issues under the banner "Gainsight-Salesforce Unauthorized Data Access Incident".

Salesforce revoked access to Gainsight applications due to unusual activity, potentially enabling unauthorized access to customer data via Gainsight SFDC Connector.

The disruption is felt across the environment, affecting Salesforce (via Gainsight SFDC Connector), HubSpot (preventively disabled) and Zendesk (preventively disabled), and exposing CRM-layer data (business contact info) and Salesforce case text.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Revoked access to Gainsight applications on Salesforce AppExchange and Disabled Gainsight connections with HubSpot and Zendesk, and began remediation that includes Forensic investigation by Mandiant, and stakeholders are being briefed through Public security advisory by Salesforce (2023-11-20) and Gainsight updates (acknowledged exposure).

The case underscores how Ongoing (Mandiant engaged for forensic analysis), teams are taking away lessons such as The incident highlights risks in SaaS ecosystems from over-permissioned third-party apps and OAuth token misuse. Organizations should audit app permissions, monitor for anomalous activity, and enforce least-privilege access principles, and recommending next steps like Conduct third-party risk assessments for integrated SaaS vendors, Implement continuous monitoring for OAuth token usage and app connections and Enforce least-privilege access for third-party applications, with advisories going out to stakeholders covering Salesforce security advisory (2023-11-20) and Gainsight updates (acknowledged exposure).

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with high confidence (95%), with evidence including exploited its **SFDC Connector app** to gain unauthorized access to **Salesforce customer data**, and compromised OAuth Tokens under attack_vector and Trusted Relationship (T1199) with high confidence (90%), with evidence including supply Chain Attack via over-permissioned **Gainsight SFDC Connector**, and salesforce revoked Gainsight’s app access... after detecting unusual activity. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (85%), with evidence including attackers... previously targeted **Salesloft Drift** using stolen OAuth tokens, and over-permissioned third-party integrations enabled persistent access. Under the Privilege Escalation tactic, the analysis identified Account Manipulation: Additional Cloud Roles (T1098.001) with moderate to high confidence (80%), with evidence including over-permissioned Gainsight SFDC Connector app granted excessive access, and cRM-layer data... accessed through over-permissioned third-party integrations. Under the Defense Evasion tactic, the analysis identified Use Alternate Authentication Material: Application Access Token (T1550.001) with high confidence (95%), with evidence including compromised OAuth Tokens used to bypass authentication, and mirroring a prior Salesloft Drift hack involving token misuse and Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating no direct evidence, but **revoked access** suggests actors may have cleared logs/artifacts. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Cloud Instance Metadata API (T1552.007) with moderate to high confidence (75%), with evidence including stolen OAuth tokens reused (implied credential harvesting), and scattered Spider-ShinyHunters-Lapsus$ collective known for token theft and Steal Application Access Token (T1528) with high confidence (95%), with evidence including compromised OAuth Tokens explicitly listed as attack vector, and attackers... used stolen OAuth tokens in prior Salesloft Drift incident. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including cRM-layer data, primarily **business contact information and Salesforce case texts**, and accessed through over-permissioned third-party integrations. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), with evidence including threatened to leak data from **nearly 1,000 companies** via a dedicated leak site, and data exfiltration such as Claimed by threat actors and Automated Exfiltration: Traffic Duplication (T1020.001) with moderate to high confidence (70%), supported by evidence indicating gainsight disabled connections to **HubSpot and Zendesk** (suggests automated data collection). Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating planned RaaS offering (future threat; no confirmed destruction), Data Encrypted for Impact (T1486) with lower confidence (20%), supported by evidence indicating hinted at launching a **ransomware-as-a-service (RaaS) platform** (planned, not executed), and Data Manipulation (T1659) with moderate confidence (60%), supported by evidence indicating severe reputational, compliance, and downstream fraud risks from exposed **Salesforce case texts**. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.