PhishForce – Salesforce Zero-Day Exploitation

Introduction

A recent zero-day vulnerability in Salesforce’s software was exploited by threat actors to phish Facebook credentials. This incident was first reported by Guardio Labs, who detected a sophisticated email phishing campaign exploiting this vulnerability in Salesforce’s legitimate email services and SMTP servers.

Details of the Attack

The attackers exploited a zero-day vulnerability in Salesforce’s software to launch a phishing campaign targeting Facebook credentials. The phishing emails appeared to be from Salesforce, a trusted source, which increased the likelihood of victims falling for the scam. The emails contained malicious links that redirected victims to a fake Facebook login page, where their credentials were harvested. The phishing kit was hosted and displayed as part of the Facebook gaming platform, further enhancing the illusion of legitimacy.

Threat Actor Profile

The identity of the threat actors remains unknown. However, the sophistication of the attack, the use of a zero-day vulnerability, and the targeting of a major cloud service provider like Salesforce suggest that the threat actors could be part of an advanced persistent threat (APT) group.

CVEs and MITRE ATT&CK TTPs

Tthe attack aligns with several MITRE ATT&CK TTPs:

The Implications of Cloud Services Exploitation

Salesforce and similar cloud services are integral to many organisations, trusted for their security and reliability. This incident highlights the potential for future bugs to be discovered and exploited in such services, shedding light on a new potential area of targeting for threat actors.

Further Reading

For more information on this incident, refer to the original Guardio Labs article.