Ethical Hacking News
Threat actors are using a custom version of AuraInspector to harvest sensitive data from Salesforce systems. This campaign targets misconfigured guest user settings in Experience Cloud sites, highlighting the importance of securing these settings to prevent unauthorized access to sensitive CRM data. Follow this article for more information on how organizations can secure their Experience Cloud systems and prevent exploitation by threat actors.
Threat actors are using a custom version of AuraInspector to harvest sensitive data from Salesforce systems. The tool targets misconfigured guest user settings in Experience Cloud sites, potentially exposing CRM data. The custom version of AuraInspector can identify vulnerabilities and exploit overly permissive guest user settings. Salesforce CSOC warns that mass-scanning is taking place, highlighting the importance of securing Experience Cloud guest user settings. Customers are urged to review and secure their Experience Cloud guest user settings to reduce exposure to sensitive data.
In a recent development that has sent shockwaves through the cybersecurity community, it has been revealed that threat actors are using a custom version of the open-source tool AuraInspector to harvest sensitive data from Salesforce systems. The campaign, which is believed to be linked to a known threat actor group, possibly ShinyHunters, targets misconfigured guest user settings in Experience Cloud sites.
AuraInspector is an open-source command-line tool originally developed by Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access-control misconfigurations that might expose sensitive records via Aura methods, record lists, or GraphQL controllers.
The threat actors have modified the AuraInspector tool to go beyond its original capabilities, allowing them to extract data from exposed environments. This custom version of the tool is capable of identifying vulnerabilities and exploiting overly permissive guest user settings, which can result in the exposure of CRM data. The exposed data can then be used for targeted social engineering or vishing attacks.
Salesforce CSOC has warned that threat actors are mass-scanning publicly accessible Experience Cloud sites using the modified AuraInspector tool. This is a concerning development, as it highlights the importance of securing Experience Cloud guest user settings to prevent unauthorized access to sensitive data.
According to the report published by Salesforce, "Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites." The report further states that while the original AuraInspector is limited to identifying vulnerable objects by probing API endpoints, the custom version of the tool is capable of going beyond identification to actually extract data.
This campaign is a stark reminder of the importance of keeping software and systems up-to-date, as well as securing guest user settings in Experience Cloud sites. Misconfigured sites risk exposing CRM data, which can be used for targeted social engineering or vishing attacks.
The company has urged customers to review and secure their Experience Cloud guest user settings immediately to reduce exposure. Salesforce encourages customers to restrict public access, disable unnecessary APIs, and monitor logs to prevent unauthorized access to sensitive data.
In conclusion, the use of custom AuraInspector by threat actors to exploit misconfigured Salesforce systems is a serious concern that should not be taken lightly. It highlights the need for organizations to prioritize cybersecurity and secure their Experience Cloud guest user settings to prevent unauthorized access to sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/Threat-Actors-Leverage-Custom-AuraInspector-to-Exploit-Misconfigured-Salesforce-Systems-ehn.shtml
https://securityaffairs.com/189214/security/threat-actors-use-custom-aurainspector-to-harvest-data-from-salesforce-systems.html
https://www.securityweek.com/hundreds-of-salesforce-customers-allegedly-targeted-in-new-data-theft-campaign/
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
https://www.techradar.com/pro/security/shinyhunters-claims-its-behind-ongoing-salesforce-aura-data-theft-assault-warns-more-attacks-to-come
https://cloud.google.com/security/products/mandiant-threat-intelligence
https://www.cisa.gov/resources-tools/services/mandiant-threat-intelligence
https://en.wikipedia.org/wiki/ShinyHunters
https://www.independent.co.uk/tech/google-data-breach-shinyhunters-cyber-attack-b2821097.html
Published: Tue Mar 10 08:59:01 2026 by llama3.2 3B Q4_K_M
