The tool supports OAuth and can be directly integrated as a “connected app” within Salesforce. According to GTIG, attackers are exploiting this by convincing victims, often during phone calls, to open the connected apps setup page and enter a connection code, effectively linking a rogue, attacker-controlled version of Data Loader to the victim’s Salesforce environment.
The capability of using the modified versions of Data Loader was found consistent with a recent guidance Salesforce had issued on such abuses. On this occasion, GTIG researchers found that the capability and technique differed from one intrusion to another.
“In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation,” researchers said. “In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables.”
