Salesforce and Gainsight Breach IOCs

Salesforce/Gainsight Breach IOCs

Overview

Security teams have identified unauthorized access to Salesforce environments via a compromised Gainsight integration token. The intrusion appears highly targeted, with threat actors using automated queries to collect tenant metadata and user profile information. These findings raise concerns about later-stage activity, including possible ransomware deployment.

Key Findings

• A YARA rule for a potential new ransomware called sh1nysp1d3r
• Multiple suspicious IP addresses have been observed in connection with the incident
• Automation was detected using user agents such as Salesforce-Multi-Org-Fetcher/1.0 and several python-requests variants.
• The attacker executed SF queries to gather:
  1. Organization-level data
  2. User-specific data

Potential Impact

• Exposure of sensitive org-level metadata
• Leakage of user identity and role data, which ShinyHunters may use to target specific users.
  • They are highly adept at social engineering attacks
• Risk of downstream ransomware deployment
• Reputational damage and financial risk from possible data exfiltration or encryption ransom demands

rule Ransom_SHINYSPIDER_S1
{
meta:
author = "Chris Boyton"
description = "New ransomware variant called sh1nysp1d3r"
added = "2025-11-20"
strings:
$0 = "-/,s|oacjklpqruwx^LMCPSZ#7  , %!i))(tvrRuUeEaAlLsS01bBoOxX+-nNiIfFpP: 0b0x0X0o\\\\..??.\\ [(\"\")) )\n @s -> Pn=][}\n]"
$1 = "rg/x/term\tv0.30.0\th1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=\nbuild\t-buildmod"
condition:
all of them
}

Confirmed and Suspected IPs associated with breach activity:

104.3.11[.]1
198.54.135[.]148
198.54.135[.]197
198.54.135[.]205
146.70.171[.]216
169.150.203[.]245
172.113.237[.]48
45.149.173[.]227
135.134.96[.]76
65.195.111[.]21
65.195.105[.]81
65.195.105[.]153
45.66.35[.]35
146.70.174[.]69
82.163.174[.]83
3.239.45[.]43
185.220.100[.]244
195.47.238[.]92		
195.47.238[.]90		
192.42.116[.]219

We are also seeing automated queries from

Salesforce-Multi-Org-Fetcher/1.0
python-requests/2.32.3
python-requests/2.28.1
python/3.11 aiohttp/3.13.1

with the following SQL:

SELECT Id, Name, OrganizationType, InstanceName, IsSandbox, TrialExpirationDate, ComplianceBccEmail, DefaultAccountAccess, DefaultContactAccess FROM Organization
SELECT Id, Name, Email, Username, Profile.Name, UserRole.Name, IsActive, CompanyName, Department, Division, Title FROM User WHERE Id = :id

Some noted hashes of a new sh1nysp1d3r ransomware:

670a269d935f1586d4f0e5bed685d15a38e6fa790f763e6ed5c9fdd72dce3cf2 - 2025-11-19
62dc6ed7c83769648b5c59ad9cc2a4e26daec96a952eb44c93fd45f2011a3444 - 2025-11-11
3bf53cddf7eb98d9cb94f9aa9f36c211a464e2c1b278f091d6026003050281de - 2025-11-07