Workday Breached as Ransomware Group Seeks Salesforce Data | #ransomware | #cybercrime

See Also: What Manufacturing Leaders Are Learning About Cloud Security – from Google’s Frontline

Workday said its attacker didn’t appear to have breached the company’s own cloud-based infrastructure, such as customer tenants or the data held there.

The company said the attacker “primarily” stole corporate contact details, such as names, email addresses and phone numbers, which could be employed in social engineering attacks. “It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details,” the firm said.

The breach alert from the publicly traded, $8.4 billion cloud-based software firm, founded in 2005 and headquartered in Pleasanton, California, comes amid a wave of similar intrusions against third-party CRM platforms, many involving attackers posing as employees and tricking corporate IT help desks into giving them direct access to the organization’s Salesforce CRM instance. The firm says 60% of the 500 biggest publicly traded U.S. firms use its software.

The company hasn’t specified when the attack occurred, how many individuals have been affected or the brand of CRM software it uses.

The attack against the firm may be another instance of ongoing campaigns by individuals claiming to be part of the cybercrime collectives Scattered Spider and ShinyHunters, and sometimes also Lapsus$.

Many of these attacks trace to organizations being tricked into granting access to their Salesforce cloud-based CRM software instances. Salesforce has said none of the attacks against its customers appear to have involved any type of vulnerability in the CRM software. Hackers trick victims into giving an attacker direct access to their CRM data.

Scattered Spider attacks often involve ransomware deployed in a victim’s environment, as well as stolen data being held for ransom. Attacks that trace to ShinyHunters involve solely data extortion. Members of the apparent cybercrime collective have suggested they simply use whichever name fits the type of attack for which they opt.

Anatomy of a Spider

Scattered Spider, ShinyHunters and Lapsus$ emerged from the cybercrime collective known as The Community, aka The Com or The Comm, largely comprised of Western teenagers. Security experts have been tracking Scattered Spider attacks since 2022, and said many succeeded thanks to attackers’ social engineering skills, bolstered by their being native English speakers. Victims of Scattered Spider have included big-name organizations, which by mid-2024 included over 130 organizations, including Las Vegas giants Caesars Entertainment and MGM Resorts, and brands such as Clorox.

The group often “targets large companies and their contracted IT help desks,” the U.S. Cybersecurity and Infrastructure Security Agency and partners warned last month in an updated advisory report. The group’s tactics frequently change and lately feature even more sophisticated social engineering techniques, as well as fresh types of malware for exfiltrating data and ransomware for encrypting it.

“The callers are patient, amiable and armed with the right arsenal of information to impersonate their target,” said ransomware response firm Coveware in a July report. Once they obtain a foothold in a network, they are “quick to escalate and maintain such prolific and vicious persistence that the victim’s only option to contain the environment is to proactively shut operations down,” it said. “This self-inflicted disruption is often necessary, but it does come at a cost and effectively guarantees the attack will be swiftly picked up in the media.”

CISA’s advisory says organizations should have in place offline backups stored separately from the source systems and which get regularly tested. Organizations should use phishing-resistant multifactor authentication to protect every account possible, and employ “allowlisting” application controls to block unapproved software from executing, including – but not limited to – remote access programs, the agency said.

A series of arrests last year of alleged Com members doesn’t appear to have stunted the collective’s efforts, which since the middle of the year have included breaching British retailers Marks & Spencer, followed by American retailers such as Adidas and Victoria’s Secret. The group has been targeting American insurers such as Aflac and Allianz Life, global airlines including Air France, KLM and Qantas, and technology giants Cisco and Google. Not all of those attacks have been confirmed as involving Salesforce software.

Members tend to fixate on a particular industry at a time, attacking as many as possible within a sector over a short period of time. “Industries are likely chosen based on perceived profitability or ease of social engineering,” threat intelligence firm Flashpoint said in a Friday report. “While this campaign style is not unique to threat actors, it is a distinct feature of this group’s operations.”

Security experts said that in every such case, attackers appeared to obtain mostly non-sensitive business contact data.

The attention given to Scattered Spider and ShinyHunters attacks may be going to their members’ heads. Individuals tied to the groups on Aug. 8 launched a Telegram channel named “Scattered Spider LAPSU$ Sp1d3r Hunters,” to which they made numerous posts, naming previously unknown victims, dumping data, sharing screenshots of allegedly breached organizations and releasing an alleged zero-day exploit for SAP NetWeaver and trolling law enforcement (see: Scattered Spider and ShinyHunters’ Next Move: Leaking Data).

After Telegram apparently blocked their first channel, the group reemerged using a variety of different handles, including @scatteredsp1d3rhunters and @leavemealonefbi, through which they’ve continued to name victims and threaten future attacks. This has included announcing “Operation Com” to supposedly target government entities and members of the Fortune 500 list of the biggest publicly traded U.S. companies.