What is the Salesforce GraphQL Exploit and What You Should Do
Learn how misconfigured Salesforce Experience Cloud guest user settings is being exploited, and how AppOmni detects against these threats
You may have seen Salesforce’s blog about a wave of cyberattacks targeting a vulnerability within Salesforce
What is the Salesforce GraphQL Exploit and What You Should Do
Learn how misconfigured Salesforce Experience Cloud guest user settings is being exploited, and how AppOmni detects against these threats
You may have seen Salesforce’s blog about a wave of cyberattacks targeting a vulnerability within Salesforce Experience Cloud sites. We want to share what happened with the Salesforce GraphQL exploit, the specific Salesforce vulnerability, what it means for Salesforce users, and what AppOmni’s Threat Detection team has already done about it.
What happened?
Salesforce’s security team has identified a campaign in which malicious actors are scanning public-facing Experience Cloud sites for misconfigured “guest user” settings. In plain terms, Salesforce-powered websites may allow anonymous visitors to browse certain information without logging in. When those permissions are configured too broadly, attackers can use automated tools to query and extract data. One attacker specifically used a modified version of a security research tool called AuraInspector (originally developed by Mandiant), to query and extract data through Salesforce’s GraphQL interface that was never meant to be public.
What has changed recently is the sophistication of the attack. Where earlier versions of this technique could exfiltrate data (~2000 records max), attackers now have a method to actively exfiltrate it at a much bigger scale through the Salesforce GraphQL access method.
This is not a new vulnerability in Salesforce’s platform. The underlying exposure shared by AppOmni Labs details overly permissive guest user configurations and is one we have long flagged to customers as a risk. What’s new is the attacker tooling which makes exploiting the vulnerability faster, at a larger scale, and more impactful.
Is my company at risk?
Sites are only exposed if they use Salesforce’s guest user feature and those permissions were configured more broadly than Salesforce recommends. Not every Salesforce Experience Cloud-powered site is affected.
The good news: AppOmni’s existing posture monitoring already covers this. Our Data Records Exposed to Anonymous World insight has been surfacing this exposure to customers regardless of the access method used, including this new GraphQL variant. No changes to existing posture rules or policies are needed.
What can attackers do with harvested data?
Data collected in these scans, primarily names and contact details, is typically used to fuel follow-on scams, including targeted phone phishing (“vishing”) campaigns. That’s when attackers call targets directly, impersonating IT staff or company leadership with the goal to trick employees into handing over login credentials, MFA codes, or to authorize rogue SaaS-to-SaaS connected apps.
AppOmni has observed coordinated campaigns that follow this exact playbook: harvest CRM data, use it to make vishing calls seem legitimate, then escalate into full SaaS compromise and data exfiltration.
A guest user misconfiguration that exposes names and phone numbers can be the first link in a SaaS killchain that ends with a serious data breach.
What AppOmni is doing about the Salesforce GraphQL exploit
The AppOmni Threat Detection team has moved quickly to ensure you’re protected. Here’s the current picture:
Posture Monitoring: No changes needed. Our existing Data Records Exposed to Anonymous World insight remains fully effective at identifying guest user permission exposure, regardless of how an attacker attempts to access it. If this insight is flagged in your environment, it should be treated as a high priority to remediate.
New Threat Detection: Live as of today. We have updated our threat detection to specifically catch this GraphQL attack variant. The new rule, Potential Aura Exploitation by Guest User via GraphQL Method was deployed at 4 AM EST this morning and will capture any matching activity from that point forward.
How to Read an Alert. If this detection is triggered, it does not automatically mean you’ve been successfully attacked. This rule can produce false positives. Here’s how to interpret it:
Alert triggers + Data Records Exposed to Anonymous World insight is also present: Strong indicator of a successful exfiltration attempt. Exposed data was available and likely accessed. Treat as a confirmed incident and investigate immediately.
Alert triggers with no matching posture insight: Likely a false positive. No exposed data was present for an attacker to reach.
Customer Notifications in Progress. We are actively identifying and notifying customers whose environments show signs of impact. If you have previously addressed this insight in your environment, your tenant should be safe.
Additionally, we encourage customers to check these within the AppOmni platform:
In Threat Detection Dashboard: Leverage this Event Search query
labels.action_message contains ACTION$executeGraphQL and user.roles contains any [Guest] and event.provider equals AuraRequest and user_agent.original equals Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
In Posture Findings Dashboard: Search for “Data records exposed to anonymous world”
Fig. 1: Search for “Data records exposed to anonymous world” in AppOmni’s Posture Findings.
What Salesforce customers need to do
For most customers, the most important step is checking your Salesforce security posture. If the Data Records Exposed to Anonymous World insight is flagged in your environment, prioritize remediating your guest user permissions now. Key steps include:
Audit your guest user profile and remove any permissions not strictly required
Set org-wide sharing defaults to Private for external users
Disable public API access for guest users
Disable self-registration if your site does not require it
Beyond that, we always encourage vigilance against social engineering. Be skeptical of unsolicited calls requesting sensitive information, and verify any suspicious outreach.
The AppOmni Scout, our new managed threat hunting team, has been actively monitoring this vulnerability for some time, and we acted quickly when attacker techniques evolved. We’ll continue to update our detection alerts as the threat landscape changes and keep you informed every step of the way. If you have further questions or concerns, contact your dedicated customer success team or email us at: [email protected].
The post What is the Salesforce GraphQL Exploit and What You Should Do appeared first on AppOmni.
*** This is a Security Bloggers Network syndicated blog from AppOmni authored by Drew Gatchell, Sr. Director of Threat Detection, AppOmni. Read the original post at: https://appomni.com/ao-labs/salesforce-graphql-exploit-explained/
About Author
