Threat Actors Mass-Scan Salesforce Experience Cloud via

What Happened

Security researchers and Salesforce have identified a coordinated campaign in which threat actors, assessed to be the Russian state-sponsored group APT28, are conducting mass scanning of publicly accessible Salesforce Experience Cloud sites. The activity aims to identify and exploit misconfigurations, using a modified version of the open-source reconnaissance tool AuraInspector. This campaign correlates with separate reporting on APT28’s parallel use of a customized variant of the Covenant post-exploitation framework, indicating a broader operational shift towards adapting open-source tools for persistent espionage.

Why It Matters

This activity represents a significant shift in the targeting of enterprise SaaS platforms, moving beyond traditional network infrastructure. Salesforce Experience Cloud sites often contain sensitive partner, customer, or employee data. Successful exploitation of misconfigurations can lead to data exfiltration, credential theft, and a foothold within a trusted business ecosystem. The dual reporting on AuraInspector and Covenant adaptations underscores APT28’s strategic investment in tooling for long-term, stealthy access, raising the stakes for organizations that rely on cloud-based customer engagement platforms.

Technical Details

The threat actors are leveraging a modified version of AuraInspector, a tool designed to enumerate components and data models within Salesforce’s Aura framework. The customized tool automates the scanning of Experience Cloud sites (formerly Community Cloud) to detect improperly configured sites where sensitive data objects or internal endpoints are exposed to unauthenticated users. This reconnaissance phase likely precedes data harvesting or the deployment of secondary payloads. The parallel use of a bespoke Covenant framework variant suggests a mature operational pipeline where initial access gained via such SaaS platforms could be leveraged for command and control (C2) and lateral movement.

Immediate Risk

The immediate risk is HIGH for any organization with a publicly facing Salesforce Experience Cloud site that has not undergone rigorous configuration review. There is no associated CVE; the vulnerability stems from administrative misconfiguration, not a software flaw in Salesforce. The active, automated scanning means potential exposure is not theoretical but actively being probed. Organizations may be compromised without direct signs of malware, as data exfiltration could occur through abused legitimate APIs and interfaces.

Security Insight

This campaign highlights the critical importance of SaaS security posture management. Defenders must extend configuration audits and threat hunting beyond their traditional network perimeter to encompass critical cloud applications. For Salesforce Experience Cloud, immediate actions should include reviewing all site settings, enforcing strict guest user profiles, and implementing the principle of least privilege for all exposed data objects. Monitoring for anomalous access patterns, especially from tools mimicking AuraInspector’s signature queries, is essential. The convergence of APT28’s tooling adaptations signals a trend where open-source tools lower the barrier for sophisticated espionage, making robust configuration hygiene a primary defense.