Icarus hacker claims attack, list of victims of Klue OAuth breach grows

Market intelligence platform Klue has publicly acknowledged a latest safety incident that allowed risk actors to steal OAuth tokens used to connect with prospects’ Salesforce environments, as the brand new “Icarus” extortion group publicly claims this assault.

The disclosure comes after cybersecurity corporations Huntress and ReliaQuest detailed how attackers exploited a compromised Klue Battlecards integration to steal Salesforce CRM knowledge from a number of organizations.

In a press release launched this week, Klue CEO Jason Smith acknowledged that the corporate found unauthorized exercise impacting a few of Klue’s built-in infrastructure on June twelfth.

“On June 12, we recognized unauthorized exercise impacting a few of Klue’s built-in infrastructure. Since then, we have now been working with trusted cybersecurity consultants to grasp what occurred, assist our prospects, and restore the connectivity they depend on,” Smith wrote.

“Our investigation revealed that the attacker gained entry by compromising legacy credentials associated to the mixing service. The attacker used that entry to acquire OAuth tokens used to attach Klue to sure third-party platforms, akin to Salesforce, after which accessed knowledge inside quite a few linked buyer environments.”

The corporate mentioned there’s at the moment no proof that buyer content material saved straight inside the Klue platform was affected, and that the incident was restricted to third-party integrations.

Klue mentioned it instantly revoked the affected credentials and tokens, eliminated the malicious code, disabled the affected integrations, launched an investigation, and notified legislation enforcement. The corporate additionally acknowledged that it labored with CrowdStrike to help within the response.

ReliaQuest and Huntress found that attackers used stolen OAuth credentials associated to Klue integrations to achieve entry to prospects’ Salesforce environments and commit large-scale knowledge theft.

ReliaQuest noticed that when knowledge was stolen, attackers generated OAuth tokens and used Python scripts to question Salesforce’s API for lengthy durations of time.

Huntress subsequently disclosed that its Salesforce surroundings was affected by the Klue breach, and that the stolen knowledge included enterprise contacts, gross sales communications, pricing info, and different information.

Icarus claims accountability

BleepingComputer and Huntress beforehand linked this incident to the Icarus extortion operation, however the risk actor has now publicly claimed accountability on the info breach website.

“As you could already know, Klue.com was just lately affected by our firm. Salesforce cases of quite a few different corporations that had been Klue companions had been compromised,” Icarus’ submit reads.

The attackers additionally pressured Klue and the affected organizations to contact them by means of the Session messaging platform to forestall the exfiltration of the stolen knowledge.

The submit comes after BleepingComputer beforehand reported that the assault was linked to Icarus after sources shared extortion emails despatched to affected organizations. Mr. Huntress additionally independently linked the operation to Icarus by means of extortion emails and session messenger IDs used on the group’s knowledge breach website.

Extra victims have since revealed they had been affected by the assault, together with Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

Nearly all mentioned the incident resulted within the theft of knowledge from Salesforce cases, with no affect on the platform, infrastructure, cost info, or inside programs.

A number of organizations urged prospects to be vigilant, warning that stolen enterprise contact info may very well be utilized in subsequent phishing, social engineering, and extortion campaigns.