top of page
  • Kathleen Maxted

Cyber Weekly Digest - 2023 Week #30


Take a look at this week's Cyber Weekly Digest where we dive into the latest cyber security news, including the latest MOVEIT victims and how attackers are carrying out sophisticated Microsoft Team phishing campaigns. Keep reading to stay up to date on biggest stories from around the world.


This week researchers discovered a campaign where hackers exploit a zero-day vulnerability in Salesforce's email services and SMTP servers to launch sophisticated phishing attacks targeting valuable Facebook accounts in order to steal credentials. The attackers chained a flaw called "PhishForce," to bypass Salesforce's sender verification safeguards and quirks in Facebook's web games platform to mass-send phishing emails. Utilising the Salesforce platform increases the perceived legitimacy of the phishing attacks and guarantees delivery. Attackers conducted the campaign by setting up a new "Email-to-Case" flow to gain control of a Salesforce-generated email address, then created a new inbound email address on the "salesforce.com" domain. They then set that address as an "Organisation-Wide Email Address," which Salesforce's Mass Mailer Gateway uses for outbound emails, and finally went through the verification process to confirm ownership of the domain. This meant attackers could send phishing emails that supposedly came from "Meta Platforms" using the "case.salesforce.com" domain.

Security vendor Ivanti has disclosed yet another critical vulnerability in its products, linked to a previous zero-day that was exploited by an APT group to compromise the Norwegian government. CVE-2023-35082 has a CVSS score 10 and is described as a remote unauthenticated API access vulnerability in MobileIron Core 11.2 and older. If exploited, it allows unauthorised users to access restricted resources without proper authentication. Rapid7 disclosed the vulnerability this week after investigating another critical Ivanti API vulnerability in MobileIron. Ivanti said it is not issuing a patch to address the bug in MobileIron Core 11.2 and earlier, as the product is now out of support. It urged users to upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM).

On Wednesday, Microsoft disclosed a report identifying a set of highly targeted social engineering attacks carried out by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. The attacks have been associated with the threat group MidnightBlizzard also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Microsoft noted, "Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organisation by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts."

The American division of an outsourcing company, Serco, has disclosed a breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor's MoveIT-managed file transfer (MFT) server. The personal data compromised in the attack includes any combination of the following: name, US Social Security Number, date of birth, home mailing address, Serco and personal email addresses, and selected health benefits for the year. Serco is added to the long list of organisations affected by the MOVEIT attacks, which started earlier in the year when the Clop ransomware gang started exploiting the zero-day vulnerability.

According to researchers, hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells. The attackers have taken advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. CVE-2023-3519 was previously exploited against an unnamed critical infrastructure organisation in June 2023, which the CISA disclosed. The flaw was patched by Citrix last month and carries a CVSS score of 9.8. The most significant number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil.


6 views
bottom of page