McGraw-Hill Data Breach: Salesforce Misconfiguration Exploited
- [01] Immediate impact: Sensitive student records and internal data were exposed and exfiltrated by threat actors following a cloud platform misconfiguration.
- [02] Affected systems: Salesforce Community and Experience Cloud instances utilized by McGraw-Hill for internal data management and educational services.
- [03] Remediation: Audit Salesforce guest user permissions and restrict object-level access to prevent unauthorized data exposure through public-facing sites.
Overview of the McGraw-Hill Salesforce Breach
Educational publishing giant McGraw-Hill has confirmed a security incident involving the unauthorized access and exfiltration of internal data. According to BleepingComputer, the company discovered that threat actors exploited a misconfiguration within its Salesforce environment. This incident highlights a growing trend where attackers bypass traditional Phishing or Ransomware tactics in favor of identifying improperly secured cloud assets.
The breach was brought to light after the Mogilevich extortion group added McGraw-Hill to its leak site, claiming to have exfiltrated 22 GB of data. The group alleged the data contained a wide array of sensitive information, including student names, email addresses, and grades. McGraw-Hill has since stated that the vulnerability has been remediated and that they are in the process of notifying affected individuals.
Technical Analysis: Misconfigurations as an Attack Vector
The root cause of this incident was not a specific CVE in the Salesforce software itself, but rather a failure to properly configure access controls within Salesforce Communities (now known as Experience Cloud). These environments are often used by organizations to create public-facing portals for customers or partners. However, if not secured, they can provide a direct window into the organization’s underlying data objects.
Attackers frequently target the Salesforce Guest User profile. By default, guest users should have highly restricted access. However, if an administrator inadvertently grants permissions to view or query objects—such as ‘Contacts,’ ‘Leads,’ or custom objects containing student records—attackers can use the Salesforce Object Query Language (SOQL) via the platform’s APIs to systematically exfiltrate data. This method of extraction does not require Privilege Escalation because the permissions are already granted at the configuration level.
## How to detect Salesforce misconfiguration in enterprise environments
For security teams and the SOC, identifying these exposures before they are exploited is a priority. To effectively address these risks, organizations must perform regular audits of their Salesforce sharing rules and guest user profiles. A primary step in how to detect Salesforce misconfiguration involves utilizing the Salesforce ‘Health Check’ tool, which provides a security score based on platform settings. Specifically, analysts should look for the ‘Secure guest user record access’ setting; if this is disabled, guest users may potentially access records they do not own.
Furthermore, security professionals should monitor for anomalous API traffic. Large-scale SOQL queries originating from unknown IP addresses toward Experience Cloud endpoints are a significant IoC. Integrating Salesforce event logs into a SIEM can help identify when an actor is scraping data. Organizations should also map these activities against the MITRE ATT&CK framework, specifically focusing on Cloud Accounts (T1078.004) and Data from Cloud Storage Object (T1530).
The Role of the Mogilevich Extortion Group
The Mogilevich group is a relatively new player in the extortion space. Unlike groups that prioritize the encryption of systems, Mogilevich extortion group tactics focus almost exclusively on data exfiltration and subsequent pressure campaigns. They often target misconfigured cloud buckets, databases, and SaaS platforms. There has been some industry debate regarding the veracity of all their claims, as the group has previously claimed breaches that were difficult to verify. However, in the case of McGraw-Hill, the company’s confirmation validates that the group successfully identified and leveraged a legitimate security gap.
Recommendations for Defense
To mitigate the risk of similar breaches, organizations must adopt a Zero Trust approach to cloud application permissions. Relying on default settings is insufficient for complex SaaS environments.
- Restrict Guest Access: Ensure that the ‘Guest User’ profile has ‘View All’ and ‘Modify All’ permissions disabled for all objects. Salesforce guest user access security should be configured to follow the principle of least privilege.
- Enable Secure Guest Access: Ensure that the ‘Secure Guest User Record Access’ setting is enabled in the Salesforce Sharing Settings. This enforces that guest users can only access records shared through ‘Guest User Sharing Rules.’
- Regular Configuration Audits: Implement automated tools or third-party SaaS Security Posture Management (SSPM) solutions to continuously monitor for configuration drift.
- External Surface Mapping: Use external attack surface management tools to identify all active Experience Cloud sites, including ‘ghost’ sites that may have been created for testing and never decommissioned.
Advertisement