Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks

Key Points:

• Klue experienced an OAuth breach that allowed the "Icarus" threat actors to steal Salesforce CRM data from multiple organizations, initiating an extortion campaign.
• The impact includes the theft of sensitive CRM-related information such as business contacts and sales communications from affected organizations. Salesforce has disabled the Klue Battlecards integration pending investigation.
• Organizations are advised to review logs for unusual activity, revoke and rotate OAuth tokens, and terminate active sessions.

Technical Details: Attackers exploited Klue's backend systems to push a malicious code update that compromised customer OAuth tokens. They used these tokens to access Salesforce's REST API for data exfiltration.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1190 - Exploit Public-Facing Application (Initial Access)
• T1003.001 - OS Credential Dumping: OAuth Tokens (Credential Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• IP addresses linked to the attacks (specific addresses not provided in summary).