Human resources (HR) platform provider Workday has become the latest large organisation to fall victim to a cyber attack originating through a third-party supplier, as the impact of a wave of cyber attacks – likely orchestrated through Salesforce products and linked to the ShinyHunters cyber crime collective – continues to reverberate.
In a notice published just prior to the weekend of 16–17 August, the firm said it had fallen victim to a social engineering campaign “targeting many large organisations”.
Cyber news outlet Bleeping Computer firmed up a link to Salesforce. Workday named neither the threat actor or the software supplier involved.
“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM [customer relationship management] platform,” the company said.
“There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.
“The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams,” it continued.
“It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details. All official communications from Workday come through our trusted support channels.”
ShinyHunters
The breach of Workday’s systems puts it among a growing number of companies to have been compromised by ShinyHunters in the past few weeks, including the likes of Adidas, Air France-KLM, Allianz, Google, multiple LVMH brands, Pandora and Qantas, in a campaign that closely mirrors a similar series of cyber attacks conducted by the Scattered Spider group – including the April hack of Marks & Spencer.
Threat attribution is a notoriously imprecise science, but a growing body of evidence now suggests that ShinyHunters and Scattered Spider are, at the very least, aligned somewhat through shared links to a wider underground group known as The Com, and may in fact be one and the same, according to ReliaQuest.
Researchers at Flashpoint are also now making the connection, going so far as to tentatively attribute the current wave of CRM-linked breaches to Scattered Spider in a briefing document published on 15 August.
Offering more evidence of a connection, the Flashpoint teamed also noted that Scattered Spider now appears to have shifted primarily to voice-based phishing (vishing) as its “primary social engineering technique”, a departure from tactics that closely mirrored the preferred methods of ShinyHunters.
Manipulation and trickery
Regardless of the attackers’ true identities, the latest cyber attack in the current campaign highlights that a great many of the most high-profile and damaging data breaches of recent months arose not through software vulnerabilities, but through simple manipulation and trickery of ordinary employees going about their day-to-day work.
Dray Agha, senior manager of security operations at Huntress, said this trend highlighted the need for businesses to adopt three core “non-negotiable” defences.
“Eliminate OAuth blind spots, enforce strict allow-listing for third-party app integrations, and review connections at a regular interval,” he said. “Adopt phishing-resistant MFA: hardware tokens are essential, as ‘MFA fatigue’ attacks remain trivial.
“A huge number of attacks begin with social engineering, users being deceived, and user enrolment in the execution of malware – effective security awareness training is a must for any organisation that wishes to repudiate cyber attacks.”
