Social engineering, while an age-old tactic of cybercriminals, is by no means outdated or ineffective in modern environments. Threat actors continue to rely on deceptive methods and take advantage of the human element to cause potentially catastrophic damage to individuals and organizations. Leading companies are no less susceptible to these attacks, and often represent prime targets for attackers looking for massive payouts.
Financial and corporate software company Workday recently published an announcement disclosing an incident where threat actors compromised certain information in a third-party CRM platform used by the company. Attackers were not able to access Workday customer tenants or the data stored within them, according to the disclosure. The information exposed in the attack was predominantly comprised of commonly available business contact information.
How the Attack Unfolded
The attack originated in a social engineering campaign targeting users of Workday’s third-party CRM system, part of a larger trend of similar attacks targeting large organizations. The breached data included business contact information like names, email addresses, and phone numbers. The initial access is achieved through voice phishing (vishing) and involves deceiving targets into enabling a malicious OAuth app to connect to the company’s CRM systems.
Social engineering attacks like this work by relying on users’ innate trust, human error, and both technological and methodological deception to gain access to sensitive data or systems. Vishing and other sophisticated phishing variants are growing in popularity in the modern threat landscape, highlighting the ability of attackers to adapt and evolve certain tactics while still wielding traditional attacks.
ShinyHunters Connection
According to threat intelligence, the threat group known as ShinyHunters is connected to a broad campaign in the past several months targeting Salesforce users in order to gain access to the systems and data of large organizations. Previous high-profile victims of this campaign include Adidas, Google, Allianz Life, and Qantas. The pattern of exploiting trusted third-party applications is effective in compromising systems and data as it takes advantage of security governance gaps to achieve access to potentially sensitive areas.
While Workday did not specify the CRM platform affected in the breach, the attack bears a striking resemblance to the Salesforce campaign. “The Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns: social profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast,” says J Stephen Kowski, Field CTO at SlashNext.
Why This Matters
This incident and the larger campaign demonstrate some of the most pertinent cybersecurity concerns today. In a highly interconnected digital landscape, third-party dependencies are one of the weak links in enterprise security. Many organizations form these dependencies without vetting the third-party partners or establishing clear security governance regarding their connection.
The data compromised in this attack may not cause as much damage when breached as login credentials or social security numbers, but it can still be used by threat actors for nefarious purposes. Business contact information can be leveraged in phishing and business email compromise campaigns, leading to further harm. The sophisticated technologies of modern social engineering attacks, facilitating the shift from simple email phishing to increasingly advanced tactics, present a danger that organizations are not currently prepared to fight.
Industry Implications
The fallout of this incident could potentially have far-reaching impacts in the industry through direct and indirect consequences. An attack on a major organization and the public statement on it can raise awareness among affected parties and at large, even as some criticize Workday’s disclosure for lack of detail and apparent technological measures implemented to avoid search engine indexing. Over 11,000 Workday customers, including 60% of the Fortune 500, are now alerted to this type of risk as a result of the attack, hopefully giving them the incentive to take steps to prevent falling victim to such attacks in the future.
The incident also raises broader concerns for organizations heavily reliant on Salesforce and other CRM platforms. Organizations and security experts should see this attack and the larger campaign as a showcase of the need to implement stronger identity and OAuth governance. In the face of a high-profile string of attacks on large organizations, reassess and reinvest in measures intended to protect against such dangers.
Strengthening Defenses
In order to protect against this type of social engineering attack and prevent the exposure of sensitive data through third-party platforms, organizations must adapt their defense tactics to modern threats. It is as important as ever to ensure thorough employee education, and effective training should inform users of the risks and how to identify and prevent social engineering attacks, including newer variants such as vishing.
Beyond user education and training, organizations are also recommended to implement tools and protocols for protecting against unauthorized access, data breaches, and third-party risks. This includes measures such as monitoring OAuth and API connections for anomalous activity to detect and prevent these attacks. Organizations are also highly suggested to implement zero-trust and identity-first security measures as key mitigations against attacks that involve system infiltrations.
A Growing Campaign, Not an Isolated Incident
The Workday attack is far from unique in the modern threat landscape. This breach is part of a much broader trend of attackers using social engineering tactics and exploiting third-party trust to gain access to sensitive systems at scale. A spate of attacks like this against major companies could prompt potential regulatory and compliance scrutiny, in addition to spurring a shift in how organizations approach security. Enterprises can look to Workday’s disclosure as potentially an effort in the right direction, but should also heed the response to the disclosure for how to handle incidents like this with more transparency in the future to maintain better customer and industry trust.
