{"id":10537,"date":"2025-10-14T13:28:02","date_gmt":"2025-10-14T06:28:02","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10537"},"modified":"2026-02-05T13:28:09","modified_gmt":"2026-02-05T06:28:09","slug":"hon-1-ty-ban-ghi-salesforce-bi-danh-cap-dau-an-cua-nhom-scattered-lapsus-hunters","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/14\/hon-1-ty-ban-ghi-salesforce-bi-danh-cap-dau-an-cua-nhom-scattered-lapsus-hunters\/","title":{"rendered":"H\u01a1n 1 t\u1ef7 b\u1ea3n ghi Salesforce b\u1ecb \u0111\u00e1nh c\u1eafp: D\u1ea5u \u1ea5n c\u1ee7a nh\u00f3m Scattered Lapsus$ Hunters"},"content":{"rendered":"

Nh\u00f3m tin t\u1eb7c c\u00f3 t\u00ean Scattered Lapsus$ Hunters v\u1eeba tuy\u00ean b\u1ed1 ch\u1ecbu tr\u00e1ch nhi\u1ec7m cho v\u1ee5 \u0111\u00e1nh c\u1eafp h\u01a1n 1 t\u1ef7 b\u1ea3n ghi d\u1eef li\u1ec7u t\u1eeb c\u00e1c h\u1ec7 th\u1ed1ng Salesforce tr\u00ean to\u00e0n c\u1ea7u. \u0110\u00e2y l\u00e0 m\u1ed9t trong nh\u1eefng v\u1ee5 t\u1ea5n c\u00f4ng nghi\u00eam tr\u1ecdng nh\u1ea5t nh\u1eafm v\u00e0o n\u1ec1n t\u1ea3ng \u0111i\u1ec7n to\u00e1n \u0111\u00e1m m\u00e2y c\u1ee7a doanh nghi\u1ec7p, khi\u1ebfn gi\u1edbi an ninh m\u1ea1ng \u0111\u1eb7c bi\u1ec7t lo ng\u1ea1i.<\/b><\/p>\n

\n
\"1760437028014.png\"<\/div>\n<\/div>\n

Theo c\u00e1c chuy\u00ean gia, chi\u1ebfn d\u1ecbch n\u00e0y b\u1eaft \u0111\u1ea7u khi nhi\u1ec1u doanh nghi\u1ec7p ph\u00e1t hi\u1ec7n nh\u1eefng truy v\u1ea5n b\u1ea5t th\u01b0\u1eddng trong h\u1ec7 th\u1ed1ng Salesforce c\u1ee7a m\u00ecnh, th\u01b0\u1eddng xu\u1ea5t hi\u1ec7n v\u00e0o ban \u0111\u00eam. C\u00e1c log \u0111i\u1ec1u tra cho th\u1ea5y l\u01b0\u1ee3ng d\u1eef li\u1ec7u b\u1ecb truy c\u1eadp v\u01b0\u1ee3t xa ng\u01b0\u1ee1ng b\u00ecnh th\u01b0\u1eddng, h\u00e9 l\u1ed9 m\u1ed9t c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u quy m\u00f4 l\u1edbn \u0111ang ho\u1ea1t \u0111\u1ed9ng trong n\u1ec1n.<\/p>\n

Nh\u00f3m hacker \u0111\u00e3 k\u1ebft h\u1ee3p l\u1eeba \u0111\u1ea3o qua email (phishing) v\u00e0 t\u1ea5n c\u00f4ng nh\u1ed3i th\u00f4ng tin \u0111\u0103ng nh\u1eadp (credential stuffing) \u0111\u1ec3 x\u00e2m nh\u1eadp ban \u0111\u1ea7u. N\u1ea1n nh\u00e2n nh\u1eadn \u0111\u01b0\u1ee3c email tr\u00f4ng nh\u01b0 th\u00f4ng b\u00e1o c\u1eadp nh\u1eadt b\u1ea3o m\u1eadt h\u1ee3p ph\u00e1p c\u1ee7a Salesforce ho\u1eb7c Microsoft Office, k\u00e8m t\u1ec7p macro \u0111\u1ed9c h\u1ea1i. Khi m\u1edf t\u1ec7p, macro n\u00e0y s\u1ebd \u00e2m th\u1ea7m t\u1ea3i xu\u1ed1ng m\u1ed9t tr\u00ecnh n\u1ea1p \u0111\u01b0\u1ee3c vi\u1ebft b\u1eb1ng ng\u00f4n ng\u1eef Go, li\u00ean h\u1ec7 v\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n c\u1ee7a hacker.<\/p>\n

Sau khi x\u00e2m nh\u1eadp, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i s\u1eed d\u1ee5ng PowerShell \u0111\u1ec3 k\u00edch ho\u1ea1t t\u1ea3i v\u1ec1 m\u00e3 \u0111\u1ed9c ch\u00ednh. C\u00f4ng c\u1ee5 n\u00e0y ki\u1ec3m tra xem c\u00f3 \u0111ang b\u1ecb ph\u00e2n t\u00edch trong m\u00f4i tr\u01b0\u1eddng sandbox hay kh\u00f4ng, r\u1ed3i ti\u1ebfp t\u1ee5c \u0111\u00e1nh c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp trong Windows Credential Manager v\u00e0 d\u00f9ng ch\u00fang \u0111\u1ec3 \u0111\u0103ng nh\u1eadp v\u00e0o API c\u1ee7a Salesforce.<\/p>\n

M\u1ed9t khi \u0111\u00e3 c\u00f3 quy\u1ec1n truy c\u1eadp, m\u00e3 \u0111\u1ed9c t\u1ef1 \u0111\u1ed9ng qu\u00e9t c\u1ea5u tr\u00fac d\u1eef li\u1ec7u, t\u1ea1o c\u00e1c truy v\u1ea5n \u0111\u1ec3 t\u1ea3i xu\u1ed1ng d\u1eef li\u1ec7u t\u1eebng ph\u1ea7n, t\u1eeb th\u00f4ng tin kh\u00e1ch h\u00e0ng, d\u1ef1 b\u00e1o doanh thu, h\u1ee3p \u0111\u1ed3ng, chi\u1ebfn l\u01b0\u1ee3c kinh doanh cho \u0111\u1ebfn c\u00e1c t\u1ec7p n\u1ed9i b\u1ed9. T\u1ea5t c\u1ea3 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng thu\u1eadt to\u00e1n ChaCha20 tr\u01b0\u1edbc khi g\u1eedi v\u1ec1 m\u00e1y ch\u1ee7 hacker qua k\u1ebft n\u1ed1i HTTPS, gi\u00fap tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n.<\/p>\n

\u0110\u00e1ng ch\u00fa \u00fd, ph\u1ea7n m\u1ec1m c\u00f2n thi\u1ebft l\u1eadp t\u00e1c v\u1ee5 \u0111\u1ecbnh k\u1ef3 t\u00ean UpdaterSvc<\/i> \u0111\u1ec3 t\u1ef1 kh\u1edfi \u0111\u1ed9ng l\u1ea1i qu\u00e1 tr\u00ecnh tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u m\u1ed7i 2 gi\u1edd, b\u1ea3o \u0111\u1ea3m duy tr\u00ec quy\u1ec1n truy c\u1eadp v\u00e0 \u201ch\u00fat s\u1ea1ch\u201d d\u1eef li\u1ec7u m\u00e0 kh\u00f4ng c\u1ea7n ng\u01b0\u1eddi d\u00f9ng hay h\u1ec7 th\u1ed1ng bi\u1ebft.<\/p>\n

C\u00e1c nh\u00e0 ph\u00e2n t\u00edch \u01b0\u1edbc t\u00ednh t\u1ed1c \u0111\u1ed9 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u c\u00f3 th\u1ec3 l\u00ean \u0111\u1ebfn 500GB m\u1ed7i gi\u1edd, cho th\u1ea5y nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u00e3 t\u1ed1i \u01b0u h\u00f3a r\u1ea5t t\u1ed1t h\u1ea1 t\u1ea7ng v\u00e0 k\u1ef9 thu\u1eadt c\u1ee7a m\u00ecnh. \u0110i\u1ec1u n\u00e0y kh\u00f4ng ch\u1ec9 \u0111e d\u1ecda th\u00f4ng tin c\u00e1 nh\u00e2n c\u1ee7a kh\u00e1ch h\u00e0ng m\u00e0 c\u00f2n l\u00e0m l\u1ed9 c\u00e1c chi\u1ebfn l\u01b0\u1ee3c kinh doanh, k\u1ebf ho\u1ea1ch b\u00e1n h\u00e0ng v\u00e0 d\u1eef li\u1ec7u \u0111\u00e0m ph\u00e1n b\u00ed m\u1eadt, nh\u1eefng t\u00e0i s\u1ea3n v\u00f4 gi\u00e1 c\u1ee7a doanh nghi\u1ec7p.<\/p>\n

Do Salesforce l\u00e0 n\u1ec1n t\u1ea3ng trung t\u00e2m trong nhi\u1ec1u quy tr\u00ecnh kinh doanh, m\u1ed9t v\u1ee5 x\u00e2m nh\u1eadp nh\u01b0 v\u1eady c\u00f3 th\u1ec3 g\u00e2y t\u00ea li\u1ec7t ho\u1ea1t \u0111\u1ed9ng, thi\u1ec7t h\u1ea1i danh ti\u1ebfng v\u00e0 m\u1ea5t l\u00f2ng tin nghi\u00eam tr\u1ecdng.<\/p>\n

Theo gi\u1edbi chuy\u00ean gia, v\u1ee5 vi\u1ec7c n\u00e0y ph\u1ea3n \u00e1nh r\u1ee7i ro ng\u00e0y c\u00e0ng l\u1edbn trong vi\u1ec7c b\u1ea3o m\u1eadt h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y, n\u01a1i ch\u1ec9 c\u1ea7n m\u1ed9t t\u00e0i kho\u1ea3n API ho\u1eb7c c\u1ea5u h\u00ecnh sai c\u0169ng \u0111\u1ee7 \u0111\u1ec3 hacker th\u00e2m nh\u1eadp. \u0110\u1ec3 gi\u1ea3m thi\u1ec3u r\u1ee7i ro, doanh nghi\u1ec7p c\u1ea7n:<\/p>\n