What's Going On at Salesforce?

Episode 347 –

Go to 

This week on the podcast, we discuss the wave of extortion attacks targeting companies that use Salesforce. After that, we discuss Discord's breach involving their customer support application. Finally, we dive deep into the recent Oracle E-Business Suite zero day vulnerability and how attackers chained together multiple low-severity findings into a critical issue.
Share on LinkedIn Share on X Share on Reddit

View Transcript

The_443_347_101325

Transcript

https://otter.ai/u/flxJaa93rCG0JVeZeQR_mw-v_Zo?view=summary

Marc Laliberte and Corey Nachreiner discuss recent cybersecurity breaches and vulnerabilities. They highlight Salesforce's ongoing issue with threat actors stealing records, including a group claiming to have stolen a billion records. Discord suffered a data breach, exposing 70,000 ID photos, despite only 2.1 million photos claimed by the attackers. Oracle's E-Business Suite had a zero-day vulnerability exploited by Clop ransomware, allowing unauthenticated remote code execution. The exploit chain involved server-side request forgery, carriage return line feed injection, and path traversal. Both hosts emphasize the importance of patching and secure development practices.

Action Items

  • [ ] Consider implementing a standardized age verification platform that all applications can hook into, rather than each application handling it independently.
  • [ ] Implement abuse detection capabilities and better validation for Help Desk in Salesforce tenant.
  • [ ] Patch the Oracle E-Business Suite application to address the vulnerability.

Outline

Salesforce Data Breach and Extortion Attempts

  • Marc Laliberte introduces the episode, mentioning Salesforce, Zendesk, and Oracle's business.
  • Marc and Corey discuss the ongoing threat actor targeting Salesforce customers, using social engineering to steal information.
  • A group called Scattered Lapsus Hunters claimed to have stolen about a billion records from Salesforce customers, attempting to extort Salesforce for not leaking the entire record set online.
  • Corey mentions previous extortion attacks by the same threat actors, including Jaguar Land Rover and Marks and Spencer.
  • Marc and Corey discuss the decentralized nature of these threat actor groups, comparing them to Anonymous, and the potential for lower-level members to continue the attacks after arrests.

Social Engineering and Data Theft Methods

  • Marc explains the various methods used by threat actors to steal data from Salesforce, including social engineering, vishing (voice phishing), and impersonating IT help desks.
  • Corey mentions the Google Threat Research Group's findings on the use of legitimate Salesforce data loaders by attackers.
  • Marc and Corey discuss the importance of MFA for phone calls and the potential for AI to automate and impersonate legitimate phone numbers.
  • They explore the idea of a digital ID for everyone, similar to what some countries are starting to roll out.
  • Marc and Corey agree on the need for better detection capabilities and validation for help desk changes in Salesforce tenants.

Discord Data Breach and Age Verification Issues

  • Marc introduces the next story about Discord's data breach involving their Zendesk customer support instance, exposing ID cards and other sensitive information.
  • Discord claims fewer than 70,000 photos were stolen, while the attackers claim 8.4 million tickets affecting 5.5 million users.
  • Marc and Corey discuss the potential misuse of stolen IDs, including identity theft and the use of stolen identities for creating AWS accounts.
  • They explore the reasons why Discord might store age verification photos, including corporate greed and incompetence.
  • Corey suggests the need for a standardized age verification platform to prevent such data breaches.

Oracle's Zero-Day Vulnerability and Extortion

  • Marc introduces the last story about Oracle's unauthenticated remote code execution vulnerability in their E-Business Suite application.
  • The exploit has been under active exploit since at least September 29 by groups associated with the Clop ransomware.
  • Watchtower Labs analyzed the exploit, revealing a chain of low and medium severity vulnerabilities combined to create a critical flaw.
  • The exploit chain includes a server-side request forgery, carriage return line feed injection, and a path traversal vulnerability.
  • The attackers used the vulnerabilities to deploy a web shell, steal sensitive data, and extort targets using compromised email accounts.

Implications and Practical Tips

  • Marc and Corey discuss the implications of the Oracle vulnerability, including the need for secure software development life cycles and prioritizing low and medium severity vulnerabilities.
  • They explore the potential for insiders to sell zero-day vulnerabilities and the importance of thorough vulnerability assessments.
  • Corey emphasizes the need for organizations to have a robust incident response plan and to prioritize patching known exploitable vulnerabilities.
  • Marc and Corey agree on the importance of regulatory measures, such as the EU's Cyber Resilience Act, to ensure vendors fix all vulnerabilities in their applications.
  • They conclude with practical tips for organizations to protect themselves from such attacks, including implementing MFA and least privilege access.
The 443 Home

Looking For More?

Secplicity logo

Secplicity - Security Simplified

Secplicity is a leading source of information about IT and business security. Our editorial team simplifies complex cybersecurity concepts, solutions and tools into easily understood and actionable information.

Learn more

red caution symbol standing on a red circuit board

Ransomware Tracker

The Ransomware Tracker is a dynamic, all-in-one hub for IT professionals, researchers, and cybersecurity-minded folks to learn about the entire ransomware landscape. This information-laden resource brings together WatchGuard Threat Labs' research with evidence from all over the Internet into one single convenient location.

Learn more

The 443 Home