Weekly Cyber Briefing: 24 November 2025

Assured’s head of incident response reacts:

For Salesforce administrators and security teams who may have Gainsight-published applications (or any third-party connected apps) installed.

1: Review and Revoke Gainsight-Related Connected Apps

Salesforce has already revoked all active tokens for Gainsight-published apps, but you should still clean up manually to be 100% sure.

How to do it:

• Log in as a Salesforce admin → Setup → Quick Find: “Connected Apps OAuth Usage”
• Look for any Connected App containing Gainsight or Gainsight Inc
  • Common app names: Gainsight PX, Gainsight CS, Horizon AI, Gainsight NXT, etc.
• Click Block or Uninstall for each one.
• Alternative path: Setup → “Apps” → “Connected Apps” → “Manage Connected Apps” → filter by Gainsight → Revoke or Delete.

Also check:

• Setup → “Named Credentials” (if Gainsight used any)
• Setup → “Remote Site Settings” (remove any Gainsight domains if present)
• Rotate All Potentially Exposed Credentials
• Even though Salesforce revoked tokens, the original OAuth client secrets or refresh tokens may have been compromised at Gainsight’s end.

What to rotate:

• Any Salesforce API keys / connected app client secrets that Gainsight ever had access to.
• Session IDs or long-lived refresh tokens are stored in Gainsight’s systems.
• Integration user passwords (if you used a dedicated integration user for Gainsight).
• Personal access tokens or OAuth tokens are used by any custom middleware (MuleSoft, Boomi, Workato, etc.) that connects to Gainsight.

How:

• Go to Setup → “Users” → find the integration user → Reset Password + invalidate sessions.
• If you used a connected app with a client secret, create a new connected app and update the secret everywhere it’s used.

2: Review Permission Sets & Profiles Assigned to the Integration User

Gainsight integrations often require broad permissions (View All Data, Modify All Data, API Enabled, etc.).

Action items:

• Audit the integration user’s profile or permission sets.
• Reduce the scope to the minimum required once you reinstall the app (if you ever do).
• Consider using a scoped OAuth policy instead of “View All/Modify All”.

3: Check Event Monitoring / Login History for Suspicious Activity

Look for logins or API calls that originated from IP addresses external to your company, or Gainsight’s known ranges. Key reports to run:

• Setup → “Event Monitoring” → Event Log Files or Real-Time Event Monitoring (if you have the license)
• Look for ReportEvent, APIEvent, and LoginEvent within the date range 1^st November – 23^rd November.
• Filter by user: org’s Gainsight integration user
• Setup → “Login History” (under: Security)
• Setup → “OAuth Connected App Access History

Salesforce has released a Security Advisory article with a list of known IoC’s related to the threat actor(s).

https://help.salesforce.com/s/articleView?id=005229029&type=1

4: Enable or Tighten Multi-Factor Authentication (MFA) & Session Policies

If not already done:

• Enforce MFA for all users (especially admins and integration users).
• Lower session timeout for integration users (e.g., 1–2 hours instead of 24).
• Where possible, use IP Login Restrictions and/or Named Credentials with Certificate Authentication instead of username/password.

5: Monitor Gainsight’s Official Statements & Salesforce Trust Site

• Salesforce Trust status: https://status.salesforce.com
• Gainsight status page: https://status.gainsight.com
• Gainsight security bulletin (when published): usually at https://support.gainsight.com → Security Advisories

As of November 20, 2025, Gainsight apps remain disconnected from Salesforce and have not been relisted on the AppExchange. As a longer-term prevention measure, implement a third-party app risk review process (many companies now require SOC 2 Type II and external penetration test reports before installing AppExchange apps).

Assured’s head of incident response reacts:

An npm package is simply a reusable piece of JavaScript code that someone has published so that other developers can easily install and use it in their own projects. They let you run JavaScript code outside of browsers, on servers, in the command line and in desktop apps, etc.

Malware can be embedded in npm packages, and several real-world, high-profile attacks have involved doing so. This can be done using techniques including, but not limited to, the following:

• Typosquatting (using similarly titled packages – subbing a malicious one in for a useful one).
• Account compromise – hacking an npm maintainer’s account.
• Being intentionally written in by the author.
• Dependency confusion/package hijacking.

Once installed, the malware typically attempts to:

• Steal process.env (API keys, secrets)
• Steal ~/.npm/_authToken or ~/.npmrc
• Steal SSH keys, wallet files, and browser data
• Add persistence (cron jobs, startup items)
• Mine crypto (if high-download package)
• Phone home to the C2 server

To protect against this and similar supply-chain attacks, businesses, especially those relying on Node.js development, should implement a layered defence strategy. We’ve shared a structured overview of the key actions we would recommend:

Assured’s head of incident response reacts:

Malicious insiders have always been, and remain, the most challenging threat vector to defend against. The access rights they exploit have been legitimately granted to them, rendering traditional prevention and restriction measures largely ineffective. Monitoring for such threats is equally challenging: the overwhelming majority of employees are honest and productive, and in the EU, works councils typically view extensive employee surveillance with suspicion, often leading to regulatory scrutiny and significant penalties.

The malicious insider landscape has evolved in recent months. Increasingly, sophisticated threat actors actively entice unsuspecting or vulnerable employees, offering payment in exchange for sensitive information or direct access to systems. Disgruntled insiders no longer need to seek out opportunities; opportunities now seek them out. When adversaries identify a disgruntled or financially motivated individual, that person may willingly hand over the keys to the entire organisation.

Protecting against malicious insider threats is inherently challenging and requires a proper defence-in-depth strategy to have any realistic chance of success. The most effective approaches typically span three key domains:

1. Monitoring
   Continuous visibility into user behaviour is essential. Tools like Push Security can reveal browsing habits on corporate devices, offering early insight into an employee’s engagement, morale, or potential discontent. More advanced solutions, such as Vigilant Applications, enable real-time monitoring, review, alerting, and even blocking of sensitive actions as they occur. Selecting an appropriate level of monitoring for your business depends on your risk landscape, personal preferences, and regulatory restrictions, but spending time defining and implementing this level is crucial to protecting against the insider threat.
2. People management
   Think about taking anyone in the organisation who could seriously damage the business if they turned hostile out for lunch every few months. It sounds unconventional, but most people will voice their frustrations or concerns long before they ever consider acting maliciously.
3. Role-based access control (RBAC) & least privilege
   Strictly limiting what each account (especially administrative accounts) can do is critical. The difference between a minor incident and a catastrophic breach often comes down to whether a compromised or disgruntled user had unrestricted access.

Best practice includes:

• Creating dedicated admin accounts for specific tasks only
• Requiring explicit justification and approval before privileged access is granted
• Logging and monitoring all privileged activity from start to finish