More Salesforce instances have been breached by threat actors abusing a third-party application integration, this time through Klue’s Battlecards app.

The attacks, which are the latest in a series of breaches against Salesforce customers, came to light on June 17, when the CRM vendor announced it had suspended integration with Battlecards in response to a security incident. 

“Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce,” the company said in an alert. “This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.”

In a blog post yesterday, ReliaQuest confirmed that threat actors gained access to Salesforce instances using Klue OAuth tokens and exfiltrated customer data. ReliaQuest researchers also noted a pattern similar to previous attacks involving third-party app integrations. 

Related:INC Ransomware Thrives by Mastering the Basics

“The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted software-as-a-service (SaaS) integrations remain a high-value yet little-monitored route to reach sensitive data,” according to the ReliaQuest blog post.

Latest Salesforce Breaches Stem From Klue Compromise

In the attacks observed by ReliaQuest, the threat actors authenticated through a compromised Klue integration service account and generated OAuth tokens that granted them access to customers’ integrated Salesforce instances. The attacks then automated Python scripts to exfiltrate data via the Salesforce REST API in a period of approximately 24 hours. 

The attacks included “a concentrated burst of nearly a thousand queries in 15 minutes” against at least one environment, according to ReliaQuest researchers, and saw sustained exfiltration of more than six hours. “Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records,” the researchers wrote.

A ReliaQuest spokesperson tells Dark Reading the 24-hour window is consistent with a bulk-extraction operation rather than a disrupted attack. “The attacker appears to have enumerated available data, extracted what was accessible, and moved on once they had it,” the spokesperson says. “It’s also possible the attacker was configuring tooling and exfiltrating data from other targets during that same window.”

Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices

It’s unclear how many Salesforce customers were affected by the latest attacks, but at least one company disclosed that its Salesforce data was compromised. In a blog post today, cybersecurity vendor Huntress said attackers copied data that “includes business contacts, price quotes, and other sales-related data and messaging.”

Huntress also shed additional light on the threat activity, which it called “a major supply chain attack.” According to the firm, the threat actors breached a backend system for Klue’s market intelligence platform. 

“Klue’s compromise began on June 11, when some anomalous behavior took place in a system that connects with various integrations to other software platforms,” the blog post stated. “The attackers pushed a code update capable of collecting OAuth tokens Klue’s customers use to connect Klue to their own systems.”

The Klue breach, according to Huntress, appears to have stemmed from “a long-disused but still active credential” that was initially created for Klue to test a third-party integration that was never ultimately deployed. The attackers used this credential to gain access to Klue’s environment.

Huntress said Klue became aware of the malicious activity on June 12 and credited the company for its fast response and forthcoming updates on the situation (which required Klue accounts to view). According to Huntress, Klue “rapidly deactivated the OAuth credentials for all customers,” and disabled its integration with Salesforce as well as several other apps, including HubSpot, Microsoft SharePoint, Zoom, and Google Drive.

Related:Fileless Phantom Stealer Targets Browser Credentials

Dark Reading contacted Klue for comment, but the company did not respond by press time.

Salesforce Attacks Tied to Icarus Extortion Group

While threat actors associated with the ShinyHunters cybercrime group were responsible for previous Salesforce attacks, the latest wave appears to be the work of a different group: Icarus. 

On June 16, Huntress received an email from threat actors informing the company that they possessed the stolen Salesforce data and would go public within 24 hours if Huntress did not “do the right decision.” The extortion email included a unique key for a communications platform called Session, presumably for victims to negotiate a ransom payment

 

icarus.jpg

Huntress discovered that the Session Messenger ID in the email matched the same values included on the Dark Web leak site for Icarus, an emerging threat group that first arrived on the threat landscape in April. The Icarus leak site currently has one victim listed, though a “news” post published on June 12 says “big corps getting listed. be ready.”

Additionally, Huntress found the emails it received were sent from three corporate mail domains for an Australian company called Global Retail Brands, an appliance and home goods retailer. The vendor’s investigators believe Icarus actors compromised the retailer’s infrastructure and are using its mail server for malicious purposes. Huntress reported the activity to the Australian Cyber Security Centre.

While the investigations into the breaches continue, ReliaQuest urged organizations to immediately revoke and reissue “everything tied to the Klue integration, including the service-account password, refresh tokens, client secrets, and active OAuth grants.” The vendor also recommended that security teams review their Salesforce API activity for unusual REST API query volume and other anomalies, and enforce IP allowlisting for third-party integration accounts and connected apps to block any access outside approved sources.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *