Take immediate action to safeguard your Salesforce ecosystem against targeted attacks on third-party applications and ensure a speedy return to business.
Salesforce has issued an urgent Critical Security Advisory regarding an extortion demand received from threat actors ShinyHunters related to previous social engineering threats. The attacker is specifically targeting third-party applications and integrations connected to Salesforce. Given the potential disruption and possible loss to businesses, it becomes crucial for all organizations using Salesforce-connected apps and those engaged in their development and distribution to take note of the risks and respond swiftly.
Salesforce has communicated: “If an application that you have developed and/or are distributing becomes compromised, Salesforce may determine that all applications created and/or distributed by you are considered unsafe until further notice. As a result, all of your applications may be disabled while we investigate any potential security issues. During this period, the applications and their features will not be available to Salesforce customers.”
Immediate Action Required to Mitigate the Risks
To mitigate risks and safeguard your Salesforce environment, Salesforce recommends promptly implementing the following critical security measures:
-
Immediately Review All Applications for Vulnerabilities
Immediately and thoroughly review every application integrated with Salesforce for any evidence of malicious activity or vulnerabilities.
-
Verify Packaged App Security Compliance
Examine the security requirements for ISV packages and ensure your applications meet all compliance requirements.
-
Apply Recommended Security Controls
Make sure Connected Apps, API usage, Partner Business Orgs, Packaging Orgs, Namespace Definition Orgs, and External Client Apps Definition Orgs follow the latest recommended security settings at a minimum.
-
Publish Valid External IP Addresses for Salesforce Customers
Immediately publish your applications’ external IP ranges publicly available so Salesforce customers can whitelist them in their integration profiles to enhance security.
-
Rotate Secrets Frequently to Maintain Security
Immediately ensure that consumer secrets, OAuth app ClientIDs, and Client Secret tokens are regularly changed or rotated. In case of any compromise, change these credentials immediately.
-
Activate API Usage Monitoring and Alerts
Set real-time alerts to detect unusual spikes in API request volumes, times of day, or geo-locations originating from your Connected Apps.
-
Prepare for Incident Response
If you notice an app getting compromised, immediately address the incident by securing the Packaging, App Definition Orgs, Partner Business Org space, and name space. Disable insecure flows and protocols in the compromised app, rotate all secrets, and enforce IP access controls
-
Report Security Incidents Immediately
Notify Salesforce’s security team without delay by emailing to security@salesforce.com if you detect any suspicious activity or security incidents impacting your applications or customer secrets.
The evolving threat landscape means no organization is immune. As a leading Salesforce service company in the USA, Milestone is committed to safeguarding your data and ensuring your return to business at the earliest. If you need assistance reviewing your apps, deploying security controls, or responding to potential incidents, please reach out to our team immediately.
