Threat Actors Exploit Salesforce Experience Cloud Misconfigurations

Salesforce has issued a warning about increasing malicious activity targeting its Experience Cloud platform. Threat actors are exploiting misconfigurations in publicly accessible sites using a customized version of the open-source tool AuraInspector. This activity highlights the risks associated with overly permissive guest user configurations, which can expose sensitive customer data to unauthorized access.

The modified AuraInspector tool, originally designed to identify access control misconfigurations, has been adapted to go beyond its intended purpose. While the standard version of AuraInspector identifies vulnerabilities by probing API endpoints like the /s/sfsites/aura endpoint, the customized variant actively extracts data from misconfigured guest user profiles. This development underscores the importance of adhering to Salesforce’s configuration guidelines to prevent unauthorized data access.

How Misconfigurations Are Exploited

Salesforce Experience Cloud sites utilize a guest user profile to allow unauthenticated users access to basic resources such as landing pages and FAQs. However, if these profiles are configured with excessive permissions, they can inadvertently expose sensitive data. Threat actors exploit this by querying Salesforce CRM objects directly, bypassing authentication requirements.

For such an attack to succeed, two conditions must be met: the use of the guest user profile and failure to implement Salesforce’s recommended security configurations. These missteps create opportunities for attackers to access data such as names and contact details, which can then be used in follow-up phishing or social engineering campaigns.

Who Is Behind the Campaign?

Salesforce has attributed this activity to a known threat actor group, although it has not disclosed the group’s identity. Speculation suggests that the group could be ShinyHunters, a cybercriminal organization with a history of targeting Salesforce environments through third-party applications. This aligns with the broader trend of identity-based targeting, where attackers focus on exploiting misconfigurations to harvest data for malicious purposes.

Recommended Security Measures

To mitigate these risks, Salesforce advises customers to review and tighten their Experience Cloud guest user settings. Key recommendations include:

• Setting the Default External Access for all objects to Private.
• Disabling guest user access to public APIs.
• Restricting visibility settings to prevent guest users from enumerating internal organization members.
• Disabling self-registration if it is not required.
• Monitoring logs for unusual or unauthorized queries.

These measures are critical to reducing exposure and ensuring that sensitive data remains secure.

In all, this incident reflects a growing trend in cyberattacks that exploit configuration weaknesses rather than inherent platform vulnerabilities. By targeting misconfigured systems, attackers can bypass traditional security measures and gain unauthorized access to valuable data. Organizations must remain vigilant and proactive in securing their configurations to defend against such threats.

For more information on securing cloud platforms and mitigating risks, refer to Salesforce’s official documentation and guidelines.