Social engineering attacks were mounted against users' Facebook accounts.
Threat actors exploit Salesforce vulnerability.
Guardio discovered a zero-day vulnerability affecting Salesforce’s email services and SMTP servers. Attackers exploited the vulnerability to launch phishing campaigns targeting Facebook accounts: “Guardio Labs’ research team has uncovered an actively exploited vulnerability enabling threat actors to craft targeted phishing emails under the Salesforce domain and infrastructure. Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s web games platform.”
Salesforce patched last week.
Salesforce issued a patch for the flaw on July 28th. The company said in a statement, “We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue. Our team has resolved the issue, and at this time there is no evidence of impact to customer data. We continually encourage researchers to share their findings with our team at security@salesforce.com.”
Industry comment on an apparent failure of automated controls.
Max Gannon, Senior Cyber Threat Intelligence Analyst, Cofense, commented, “This is another instance of automated controls failing. It's disappointing that it happened and easy to point the finger at Salesforce, but realistically 0-days happen and you can't fully rely on automated systems without making the assumption that this sort of thing will eventually happen. That is just what happens when you rely on vendors like SEGs too much. There were certainly aspects of this campaign that might mislead a normal user, however, even if the email coming from Salesforce is enough to make it look legitimate any user who reads the email that purports to be from Facebook could easily figure out that it was a phish.”