My name is Lauren and I'm a sales engineer at Vorlon. Vorlon is a SaaS ecosystem security platform designed to provide visibility into your SaaS applications and the sensitive data that flows between them. Vorlon is uniquely positioned to detect and respond to the shiny hunters attacks against organizations and their Salesforce instances today.
I'm gonna walk you through an example of how we can do that. This widget in Vorlon tracks new OAuth application identities created recently for our observed applications. Now, I know that we don't add a lot of OAuth applications, and typically they'll let us know beforehand if they do, but here we can actually see that there were two new OAuth applications recently added to Salesforce.
The Marketo one is one that I'm already familiar with. The Salesforce team notified me of this beforehand, so we don't really need to check that one out. So really quickly, just at a glance, I can open Vorlon and immediately see that something is not right because we have this additional data loader application that was added that I'm not familiar with.
So I can take a look at this timeline created for the identity and immediately get an idea of what has happened. On the 19th of June, the identity was created, which triggered an alert in Vorlon, and we can also see that there was a permission added. This OAuth application was granted full access, and we usually don't grant that permission to any of our OAuth apps.
The last time the application was used was just a few days ago. It also triggered an alert that it was used from a new unknown source IP. Now I know one of the TTPs for shiny hunters, they don't always use the OAuth identity to exfiltrate immediately. They actually typically wait around for a little bit and then start to exfiltrate.
With Vorlon, we can catch that initial OAuth application identity creation, and we can also see this fake data loader application here that has full permissions, and it actually looks like our Salesforce admin and Jeffrey Sinclair was the one that fell victim to the vishing scheme. I won't tell the CISO about that if you don't.
There also no IP restrictions on this OAuth app, meaning that it can be used from any IP address. And we can also see that it does indeed have full access permissions to use the API. Now if we take a look at the associated alerts, we can see that the identity was initially configured on June 19th and that it triggered a new unknown source IP alert, meaning that we have not seen that IP address before in traffic.
The OAuth application was used from Netherlands IP address, and we can also see from Vorlon's built-in threat intel that it's listed as a threat and also possibly related to Tor exit. Super nice that we have that threat intel built in because I don't want to add another tab to my already open 6,000 tabs.
In any case, this is not traffic that should be going to our Salesforce instance, and it's also accessing all of this sensitive information and using the bulk query endpoint. So based on all this information, we can utilize Vorlon's built-in response to revoke this secret immediately to stop the bleeding. In just a few minutes, we were able to detect and respond to suspicious activity associated with the shiny hunter's attacks in Vorlon.
And it was a lot faster than making a cup of coffee. And this is not just for Salesforce as an application. Vorlon's continuous monitoring, detection and response also extends to other SaaS applications as well. Such as Microsoft 365, Google Workspace, Workday and more. Vorlon will help to protect your other SaaS applications from ShinyHunters and other threat actors attempting to exfiltrate data.
So keep your data safe with Vorlon today and every day. From now on, visit our website if you would like to learn more or reach out to me on LinkedIn.
