How compromised DevOps tools are used in supply chain attacks

Digital check point with peoplen wearing facial protection mask. This is entirely 3D generated image.

WithSecure™ Cloud Protection for Salesforce

WithSecure™ cloud-based protection services for Salesforce Experience Cloud, Sales Cloud and Service Cloud.

Learn more

Digital supply chain attacks are a leading cyber threat today, and it's believed the number of attacks tripled in 2021 alone. Some of the biggest data breaches of the last year have centered on digital supply chains.

Here, we’re focusing on how supply chain tactics can be used to exploit Salesforce platform through compromised DevOps tools, that is one of the most overlooked threats in digital supply chains. As a critical part of thousands of organizations’ customer relationship infrastructures, Salesforce cloud is one of the attractive targets for threat actors seeking access to sensitive data.

Developers have a large number of tools at their disposal, and there is a tendency to blindly trust they are secure, particularly if they come from a known vendor or official store. But as the infamous SolarWinds hack shows, even well-known vendors can be compromised and used to enable an attack.

Compromised DevOps tools can be used to facilitate attacks on any IT ecosystem the developer is working on, such as Salesforce platform.

Watch this short dynamic video to see a supply chain attack via DevOps tools and Salesforce platform at work.

Such attacks may begin with the adversary sniffing out poorly managed source code repositories. Scanning unsecured public source codes can reveal user credentials or API tokens, which can be used to gain access to, for example, the CI/CD tool used by a software development company offering their application via software repository or marketplace.

From here, bad actors can covertly inject malware into a software built by the CI/CD tool before it is published to the marketplace. Now, any users downloading the software will receive a compromised version containing a nasty hidden surprise.

The hidden payload will download additional malware from the attacker’s web server, enabling them to compromise both the user’s endpoint machine, and any on-prem or cloud-based systems they are connected to. This can be Salesforce platform that allows to install or connect third party applications.

The attacker can now exploit all of Salesforce’s connections and capabilities, such as using its content sharing functionality to distribute specifically crafted malware or phishing links to users, including employees, partners, and customers.

Now they can perform any number of malicious activities, with one of the most common outcomes being the establishment of a command and control (C&C) backdoor that will allow them to continuously achieve lateral movement and begin stealing critical data.

Download our latest report to find out more information on how DevOps tools are targeted and exploited. You will also gain practical steps to identify and defend against these tactics.

Anatomy of a Salesforce supply chain attack

How to prevent supply chain attacks through third party integration with Salesforce

Read more