Unbelievable Twist in Cybersecurity Hackers Get Hacked

What Happened

The cybersecurity world is witnessing a rare chain of events in recent days. Klue, a market intelligence and competitive analysis platform, suffered a major cyberattack earlier this month. This incident has been recorded as a supply chain attack, affecting not only Klue but also numerous customers who use its services. Following the discovery of the attack, roughly two dozen Klue customers have publicly announced and confirmed that their Salesforce instances were compromised as a result.

In the aftermath, a threat actor named "Icarus" claimed responsibility for the attack. The group launched an extortion campaign targeting Klue and its customers, threatening to publish the data it claimed to have stolen. For this purpose, Icarus set up a leak site on the Tor network, announcing it would expose the data if its demands were not met. However, the story did not end there and took a much more complex turn.

Strong indications have emerged that Klue was negotiating with the attackers. As a likely result of these talks, the Icarus group's leak site has been unavailable for the past couple of days. This is a situation often observed in scenarios where a ransom has been paid or an agreement has been reached. Just then, a development rarely seen in cybersecurity incidents occurred. In a private notification to its customers, Klue reported that the Icarus group itself had been hacked. This incredible development meant that the data stolen from Klue was now in the hands of a second cybercrime group. This second group has started running its own extortion campaign with the data it acquired from Icarus.

What Data Was Leaked

The nature of the data compromised in the attack is a major source of concern for the affected companies. The information stolen by the initial attacker, Icarus, is stated to consist mainly of business contact and support data. This type of data typically includes customer names, email addresses, company information, communication histories, and support ticket details. The exposure of such information to malicious actors poses serious risks, such as targeted phishing attacks, identity theft, and corporate espionage.

The situation is slightly different in the second theft, which further complicates the incident. According to Klue's allegations, the second cybercrime organization that hacked the Icarus group did not obtain all of the stolen data, but only a portion of it. This data is described as being "sample data." However, it is not yet clear how comprehensive this "sample data" is or which companies' information it contains. As of now, no known extortion group other than Icarus has publicly claimed possession of data stolen during the Klue incident. This uncertainty increases the pressure on the companies and customers affected by the data breach.

How Did the Attack Happen

According to available information, the attack was carried out as a well-planned supply chain operation. The attackers first managed to infiltrate the Klue platform. To achieve this, they used compromised legacy credentials believed to belong to the company, which had become unprotected over time. It is not yet known how these credentials were obtained, but this method shows that the cyberattackers targeted a common weak link.

After gaining access to Klue's systems, the hackers moved to the next stage to reach their main target: customer data. In this phase, they obtained the OAuth tokens that enable Klue's integration with platforms like Salesforce for its customers. OAuth is an authorization standard that allows one application (Klue) to securely access data in another application (Salesforce) without knowing the user's password. By stealing these tokens, the attackers impersonated the Klue application, accessed customer data in bulk, and exfiltrated it to their own systems. The attack was determined to have been carried out using this method between June 11 and 12.

Who Is Affected

The impact of the attack appears to be quite broad. To date, roughly two dozen Klue customers have officially confirmed that their Salesforce accounts were compromised due to this supply chain attack. These companies include prominent names from the technology, security, and finance sectors. Some of the publicly identified affected companies are: AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines.

However, there are concerns that this list may only be the tip of the iceberg. Klue is known to have hundreds of customers, and it is estimated that the true blast radius of the attack could be much wider. A notification allegedly sent by Klue to its customers stated that a total of 195 customers were affected by the incident. Although this number has not yet been officially confirmed, it provides a significant clue about the scale of the breach.

On the other hand, it is worth noting that not all Klue customers were affected. For example, some customers, such as the leading software company Autodesk, were not impacted by this specific attack because they use the Klue platform without the Salesforce integration. This indicates that the attack specifically targeted customers who had the Salesforce integration enabled.

What Can You Do

Following the incident, a series of measures were taken by both Klue and the affected third-party platforms. To prevent the further spread of the data breach, Salesforce disabled the Klue integration on June 17. Salesforce's status page shows that this integration has not yet been re-enabled. As a similar precaution, another popular platform, Gong, also suspended its integration with Klue.

As of now, no official and detailed guide has been published regarding the specific steps that organizations and individuals who are customers of Klue or other affected companies should take. At this point, it is crucial for customers of the mentioned companies to carefully follow official announcements and email notifications coming directly from these companies. It is especially advisable to be vigilant against potential phishing attacks that may increase in the coming period, given that business contact and support data were compromised.

What Is the Company Saying

Klue publicly confirmed the data breach on Monday, stating that it has launched an investigation. However, the company has not yet shared any detailed public updates on the findings of its investigation. Behind the scenes, however, the company appears to be more active.

According to a report by TechCrunch, Klue informed its customers in private notifications that it had contacted the Icarus group, which claimed responsibility for the attack, and that the group had started deleting the stolen data. This development strengthens speculation that Klue may have paid a ransom to prevent the data from being published.

In the same notification, Klue also shared the surprising information that the Icarus group itself had been hacked and the data was now in the hands of another group. The company stated that it is closely monitoring developments on this front. The news source SecurityWeek reported that it has reached out to Klue for more information but has not yet received a response.

Source

https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/