The Salesloft Breach: A Masterclass in OAuth Token Hijacking and Cloud Compromise

Listen to this Post

Featured Image

Introduction:

The recent sophisticated attack on Salesloft, which pivoted to compromise Drift’s AWS environment, underscores a critical escalation in cloud and integration-based threats. This incident demonstrates how stolen OAuth tokens and lax access controls on development platforms like GitHub can serve as a springboard for massive data exfiltration, moving far beyond the initial point of entry.

Learning Objectives:

  • Understand the attack chain from GitHub compromise to cloud environment breach.
  • Learn critical commands to investigate OAuth token usage and AWS credential exposure.
  • Implement proactive hardening measures for GitHub, OAuth, and AWS integrations.

You Should Know:

1. Auditing GitHub Organization Members and Access Logs

The attackers added guest users to gain persistence. Regularly auditing your GitHub organization is paramount.

 List all members of an organization
gh api orgs/[bash]/members

List all outside collaborators
gh api orgs/[bash]/outside_collaborators

List recent audit log events (GitHub Enterprise only)
gh api /orgs/[bash]/audit-log

Step-by-step guide: The GitHub CLI (gh) is essential for rapid auditing. First, authenticate using gh auth login. Replace `

` with your organization's name. The `members` command lists all direct members, while `outside_collaborators` shows users with access to specific repositories without being organization members. Regularly cross-reference this list with known employees. For enterprises, the audit log provides a timeline of all sensitive actions, which is crucial for forensic analysis.

<h2 style="color: yellow;">2. Detecting Malicious GitHub Actions Workflows</h2>

The threat actors established workflows for persistence and data exfiltration.

[bash]
 List all workflows in a repository
gh workflow list -R [bash]/[bash]

View the YAML content of a specific workflow
gh workflow view [bash] -R [bash]/[bash] --yaml

Disable a suspicious workflow immediately
gh workflow disable [bash] -R [bash]/[bash]

Step-by-step guide: After listing all active workflows, scrutinize any recently created or modified ones. Use `view` to inspect the YAML code. Look for suspicious steps that may exfiltrate data via `curl` commands to unknown domains, use unauthorized secrets, or check out other repositories. The `disable` command is a critical containment step to stop a malicious workflow from running again.

3. Rotating and Investigating Exposed AWS Credentials

Containment involved rotating credentials. You must identify where credentials are used.

 Use AWS IAM to list access key age for a user
aws iam list-access-keys --user-name [bash]

Rotate a compromised access key
aws iam create-access-key --user-name [bash]
aws iam delete-access-key --user-name [bash] --access-key-id [bash]

Check for credentials exposed in GitHub history
git log -p --all --full-history -- "/.env" "/credentials.json" "/aws.yml"

Step-by-step guide: The AWS CLI commands require appropriate IAM permissions. `list-access-keys` shows creation dates; keys older than 90 days or created recently without authorization should be suspect. Rotation is a two-step process: create a new key, update all applications, then delete the old one. The `git log` command is a deep dive to find secrets accidentally committed and pushed, which is a common initial access vector.

  1. Hunting with OAuth Token Logs (Google Workspace Example)
    Stolen OAuth tokens were used for unauthorized data access. Monitoring token usage is key.
 Use GAM (Google Workspace Admin API) to list all third-party OAuth apps
gam print tokens showexpired

Revoke a specific OAuth token by App ID or user
gam user [bash] delete tokens [bash]

Step-by-step guide: GAM is an advanced command-line tool for Google Workspace administrators. The `print tokens` command provides a comprehensive list of all OAuth tokens granted by users in your domain, including the associated application and scope of access. Look for tokens with broad scopes (like `https://www.googleapis.com/auth/gmail.readonly`) granted to unfamiliar applications. The `delete tokens` command instantly revokes access, forcing a re-authentication.

5. Querying AWS CloudTrail for Suspicious API Calls

Proactive threat hunting in AWS requires analyzing CloudTrail logs for IOCs.

 Use AWS CLI to filter CloudTrail events by source IP (an known IOC)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=SourceIpAddress,AttributeValue=[bash]

Filter by event name (e.g., unusual API calls)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue

Export logs to Athena for complex SQL-based hunting
SELECT eventSource, eventName, sourceIPAddress, eventTime
FROM cloudtrail_logs
WHERE sourceIPAddress IN ('[bash]', '[bash]')
AND eventTime >= '2025-03-01T00:00:00Z'

Step-by-step guide: The first two CLI commands are for quick, targeted checks against known IOCs. For deeper analysis, exporting CloudTrail logs to Amazon S3 and querying them with Athena is the industry standard. The sample SQL query hunts for any API activity originating from the threat actor’s known IP addresses within a specific time window, which is crucial for determining the blast radius of a breach.

6. Revoking and Monitoring Application API Keys

The advisory mandates revoking existing Drift API keys. This process applies universally.

 Example cURL command to revoke a key via Drift API (consult specific API docs)
curl -X DELETE "https://driftapi.com/v2/api_keys/[bash]" \
-H "Authorization: Bearer [bash]"

List remaining keys to verify
curl -X GET "https://driftapi.com/v2/api_keys" \
-H "Authorization: Bearer [bash]"

Step-by-step guide: The exact API endpoint and parameters will vary by service (Drift, Salesforce, etc.). Always refer to the latest API documentation. The process typically involves using an administrative token to first list all active keys, identify those to be revoked, and then send a DELETE request to the specific key’s endpoint. Immediately after rotation, monitor application logs for errors and successful authentications with the new keys.

7. Implementing Cloud Hardening with AWS IAM Policies

Prevention requires enforcing least privilege, especially for CI/CD users.

 AWS IAM Policy example to restrict GitHub Actions from specific repos
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-secure-bucket/${aws:PrincipalTag/GitHubRepository}/",
"Condition": {
"StringEquals": {"aws:PrincipalTag/GitHubRepository": "my-org/my-repo"}
}
}
]
}

Step-by-step guide: This policy uses IAM’s condition keys to dynamically restrict access based on tags. When configuring GitHub Actions OIDC with AWS, you can map the repository name as a tag. This ensures that a workflow from the `my-org/my-repo` repository can only write to the S3 path prefixed with its own name, preventing a compromised workflow from one repo from affecting assets of another. This is a powerful segmentation control.

What Undercode Say:

  • The Software Supply Chain is the New Battleground. This attack didn’t exploit a code vulnerability but the integration points between development and cloud platforms. Security focus must shift left to include CI/CD pipelines, OAuth consent reviews, and IaC (Infrastructure as Code) security.
  • OAuth Token Security is Critically Overlooked. Tokens often provide long-lived, broad access that bypasses traditional security controls. Their management and monitoring are non-negotiable for modern app security.

The technical segmentation that contained this incident is a best-practice outcome. However, most organizations lack such clear boundaries between integrated SaaS applications. This breach is a potent reminder that your security posture is only as strong as the weakest link in your integration chain. Proactive, automated auditing of these connections is no longer optional.

Prediction:

This attack methodology will be commoditized by lower-tier threat actors, leading to a surge in SaaS-to-cloud pivoting attacks throughout 2025 and 2026. We predict a corresponding rapid evolution in Cloud Detection and Response (CDR) and SaaS Security Posture Management (SSPM) tools, focusing on behavioral analytics for OAuth tokens and CI/CD pipelines. Organizations will be forced to adopt Zero Trust principles not just for users, but for machine identities and workloads, leading to a new standard of granular, attribute-based access control for cloud integrations.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Dvuln Saleslofts – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky