Introduction
A recent zero-day vulnerability in Salesforce’s software was exploited by threat actors to phish Facebook credentials. This incident was first reported by Guardio Labs, who detected a sophisticated email phishing campaign exploiting this vulnerability in Salesforce’s legitimate email services and SMTP servers.
Details of the Attack
The attackers exploited a zero-day vulnerability in Salesforce’s software to launch a phishing campaign targeting Facebook credentials. The phishing emails appeared to be from Salesforce, a trusted source, which increased the likelihood of victims falling for the scam. The emails contained malicious links that redirected victims to a fake Facebook login page, where their credentials were harvested. The phishing kit was hosted and displayed as part of the Facebook gaming platform, further enhancing the illusion of legitimacy.
Threat Actor Profile
The identity of the threat actors remains unknown. However, the sophistication of the attack, the use of a zero-day vulnerability, and the targeting of a major cloud service provider like Salesforce suggest that the threat actors could be part of an advanced persistent threat (APT) group.
CVEs and MITRE ATT&CK TTPs
Tthe attack aligns with several MITRE ATT&CK TTPs:
- Phishing (T1566): The attackers used phishing emails to trick victims into revealing their Facebook credentials.
- Exploit Public-Facing Application (T1190): The attackers exploited a vulnerability in Salesforce’s public-facing application to launch the attack.
- Supply Chain Compromise (TA0043): The attackers exploited a trusted relationship between Salesforce and its users, a form of supply chain compromise.
The Implications of Cloud Services Exploitation
Salesforce and similar cloud services are integral to many organisations, trusted for their security and reliability. This incident highlights the potential for future bugs to be discovered and exploited in such services, shedding light on a new potential area of targeting for threat actors.
Further Reading
For more information on this incident, refer to the original Guardio Labs article.