This threat report details a campaign involving malicious activity targeting organizations using Drift integrations. Drift is a conversational marketing and sales platform that integrates with various business systems. The investigation uncovered multiple Indicators of Compromise (IOCs), primarily a list of IP addresses confirmed to be malicious and suspicious User-Agent strings. The key technical insight is that legitimate Drift integration traffic should only originate from a known set of IP addresses owned and operated by Drift. Any authenticated connections using Drift tokens from IP addresses outside this trusted set are considered suspicious and potentially malicious. The malicious IPs include some associated with Tor exit nodes, which may generate noise but should still be treated as suspicious if they successfully authenticate using Drift tokens. The campaign involves techniques related to authentication abuse (T1078), network reconnaissance (T1046), exploitation of public-facing applications (T1190), supply chain compromise (T1596), and persistence mechanisms (T1505.003). The threat actors appear to be leveraging stolen or otherwise compromised Drift tokens to gain unauthorized access to Drift integrations, potentially enabling them to manipulate or exfiltrate data, disrupt services, or move laterally within affected organizations. No specific CVEs or known exploits in the wild are reported, but the presence of authenticated malicious connections indicates a significant risk of compromise. Organizations are urged to scrutinize their logs for these IOCs and verify that all Drift integration traffic originates from legitimate Drift IPs. The reference link points to an update on investigations involving Mandiant, Drift, and Salesloft applications, indicating a broader context of supply chain and integration security concerns.

For European organizations, the impact of this threat could be substantial, especially for those relying on Drift integrations for customer engagement, sales, or internal communications. Unauthorized access via compromised Drift tokens could lead to data leakage, including sensitive customer or business information, undermining confidentiality. Attackers might manipulate integration workflows, causing integrity issues or operational disruptions. Availability could also be affected if attackers deploy persistence mechanisms or disrupt integration services. Given the supply chain nature of the threat, organizations might face challenges in detecting and remediating compromises, potentially leading to prolonged exposure. Regulatory implications under GDPR are significant if personal data is accessed or exfiltrated, potentially resulting in fines and reputational damage. The involvement of Tor exit nodes complicates attribution and response, as attackers may obfuscate their origin. Overall, the threat could disrupt business operations, erode customer trust, and impose financial and compliance burdens on affected European entities.

Organizations should implement the following specific mitigations: 1) Maintain and regularly update a whitelist of legitimate Drift IP addresses authorized to initiate authenticated connections. 2) Monitor all Drift integration traffic for connections originating from IPs outside this whitelist, especially those listed in the provided malicious IP indicators, and treat such connections as suspicious. 3) Implement strict token management policies, including immediate revocation and rotation of Drift tokens suspected to be compromised. 4) Enhance logging and alerting on Drift integration authentication events, correlating with IP reputation and User-Agent anomalies. 5) Conduct thorough audits of integration configurations and access controls to ensure least privilege principles are enforced. 6) Investigate any successful authenticated connections from Tor exit nodes or other suspicious sources promptly. 7) Coordinate with Drift and related vendors to receive timely threat intelligence updates and patches. 8) Educate relevant personnel on the risks of supply chain and integration-based attacks to improve detection and response capabilities. 9) Consider network segmentation to isolate Drift integrations and limit lateral movement opportunities. 10) Employ anomaly detection tools to identify unusual integration behaviors indicative of compromise.