Cybersecurity Firms Impacted by Klue Supply Chain Attack

Key Points:

• A supply chain attack targeting Klue has impacted cybersecurity firms Huntress and Recorded Future, allowing unauthorized access to customer data through compromised OAuth tokens.
• The attackers exploited the Salesforce REST API to exfiltrate CRM data, including business contacts and sales-related information, without accessing the firms' internal systems.
• It is recommended that affected organizations review their integrations with Klue and Salesforce, monitor for unusual activity, and ensure OAuth tokens are deactivated.

Technical Details: The attack began on June 11, 2023, when hackers executed unauthorized commands on Klue’s backend servers to harvest OAuth tokens. The incident involved a significant volume of data extraction from Salesforce over a short period.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1078 - Valid Accounts (Defense Evasion)

IOCs Mentioned: None mentioned