Salesforce vulnerability exploited

By using a component of Salesforce CRM, attackers were able to send out thousands of emails, luring people into entering credentials in a grand phishing scheme.


 

Meta investigating

Meta, the parent company of Facebook, is investigating how the false web page was allowed to be hosted.  Mitigation efforts have already been put in place by Meta and Salesforce CRM.


 

Another day, another victim

Attacks like these are becoming more and more common and companies are struggling to keep up with the different attack vectors.


News > Cyber-Attacks > CA-General
by Kevin Wood

Salesforce the latest victim of phishing attack

 

 

 Zero-day vulnerability exploited in recent attack

Using a zero-day vulnerability in Salesforce CRM, attackers sent out realistic looking emails that were designed to get a user to sign in with Facebook credentials, effectively handing out all of the information included in their Facebook account.

The trick to this attack was that the emails looked like it came from Meta, the parent company of Facebook, and advised them of a violation of Facebook’s terms.  A button in the email invited the user to review and resolve the issue on a very convincing landing page that was actually hosted on a facebook.com page.

The emails came from a salesforce.com email address and abused a zero-day vulnerability in Salesforce CRM’s “Email Gateway” component which was designed as a way of taking incoming emails and creating tickets based on them.

The vulnerability allowed the attacker to receive verification emails that gave them control of a legitimate Salesforce email address they used to send out the phishing emails.

In order to run the landing page on Facebook, the attackers hosted it on a legacy web game platform.  Although discontinued in 2021, they must have obtained access to an old game platform and posted the page using that.

Salesforce was notified of the attack on June 28th, 2023 and released a fix immediately to all impacted services within a month.  Prior to that, Salesforce said they had no indication of an attack and found no evidence of an impact to any customer data.

Meta responded by immediately removing the account used in the malicious attack.  They also began to conduct a deeper investigation into how the attackers were able to accomplish this and why such things were still allowed.  

“We realized this address (the email address) is actually user controlled under the “Email-To-Case” feature of Salesforce, used to automatically convert customer inbound emails into actionable tickets in the Salesforce system itself”

 

 

  • Have annual/semi-annual security training sessions
  • Give examples of attacks and how to identify them
  • Educate users as often as possible about new tactics
  • Contact BBG for assistance with technical consultation and security guidance