Salesforce email zero-day exploit and Microsoft Power Platform criticism
Hackers exploit a 0-day vulnerability in Salesforce’s email services, Microsoft fixes Power Platform flaw after being criticized by a company CEO and the versioning Google Play security bypass technique. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Phishing simulations & training
1. Threat actors exploit Salesforce email services zero-day for Facebook phishing attack
Guardio Labs analysts recently discovered that hackers exploited a flaw in Salesforce’s email system to send phishing emails to Facebook users. Leveraging Salesforce's trusted infrastructure, the attackers evaded standard email defenses, sending deceptive messages from a "salesforce.com" domain. These emails misdirected victims to a fake page on Facebook's gaming platform, posing as "Meta Platforms." Salesforce rectified the vulnerability a month following the report, while Meta continues its investigation into the security lapse.
2. Microsoft addresses Power Platform flaw after criticism from Tenable CEO
Microsoft on Friday announced a fix for a critical Power Platform flaw. This vulnerability, pinpointed by Tenable in March 2023, risked an unauthorized fix for a critical flaw in Power Platformdata access. In response, Microsoft provided an initial patch in June. However, it wasn't until August 2 that they rolled out a comprehensive solution. Amid these developments, Tenable CEO Amit Yoran expressed concerns about the delay. In response, the tech giant emphasized the challenge of swiftly patching without compromising security.
3. Google reveals how malicious actors use versioning to bypass Play Store security
Google Cloud's security team recently highlighted a sneaky method hackers use to get around Play Store's safety measures. They start with genuine apps and later slip in harmful updates or use dynamic code loading (DCL) to bypass checks. Even with Google's tight screening, DCL can find a way through. One example of this is the SharkBot malware; it seems safe initially but shows its malicious intent after download. Google warns users to be vigilant and stresses the importance of only updating apps through official channels.
4. Reptile Rootkit deployed in attacks on Linux systems in South Korea
South Korean Linux systems are under attack. Researchers from AhnLab Security Emergency Response Center (ASEC) identified threat actors using an open-source rootkit called Reptile. Distinct from other rootkits, Reptile boasts a reverse shell, anticipating specific attacker commands. Multiple campaigns since 2022 have weaponized Reptile, with notable use by a China-linked group exploiting Fortinet vulnerabilities. A unique feature, the KHOOK engine, lets Reptile tap into Linux functionalities. Further, ASEC's study found these actors using an uncommon ICMP-based shell, named ISH, to cleverly sidestep regular network detections. The open-source nature of Reptile means it's adaptable, raising concerns about its evolving use in future cyberattacks.
5. Researchers reveal Amazon’s AWS SSM agent can be used as a RAT
Mitiga researchers have identified a flaw in Amazon’s AWS System Manager (SSM) agent that enables hackers to use it as a Remote Access Trojan (RAT). This malware can secretly infiltrate both Windows and Linux systems, bypassing typical security detections. Mitiga warns that cybercriminals might exploit this method if not already doing so. The vulnerability hinges on the SSM agent's "hybrid" mode, which potentially grants attackers access even outside AWS environments. While Amazon insists its software operates as intended, they recommend customers follow best practices for enhanced security.
See Infosec IQ in action