Businesses that use Salesforce.com are being warned that they could be targets of a malware attack.
The customer relationship management software provider announced this week that the Dyre malware, which in the past has typically targeted customers of large financial institutions, may now be targeted at Salesforce users.
The Dyre malware, also known as Dyreza, is designed to bypass Secure Sockets Layer (SSL) encryption in order to steal user login credentials.
"We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation," Salesforce representatives wrote in a security advisory on the company's website. "If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance."
Despite the possible breach, the company is stressing that this is not a weakness within Salesforce, but rather malware that is originating from its users' own computers. According to security website Phishme.com, the Dyre malware is being spread via phishing emails. When these emails are opened, the malware is spread via a .ZIP file.
But Michael Kantarovich, co-founder and vice president of products for Skyfence, which automates visibility and control over cloud applications, said malware like this isn't necessarily spread only by phishing emails. [Execs Watching Porn a Leading Cause of Malware Problems ]
"Technologically speaking, it doesn't matter how it does it," Kantarovich told Business News Daily. "You may download it from the Internet without even knowing it."
Once a computer or system is infected, hackers can easily steal a user's credentials and use them whenever they want, Kantarovich said.
"They are really after the credentials, and once they get [them], they have the keys to the kingdom," Kantarovich said. "They can access everything."
To help businesses avoid becoming victims of this malware attack, Salesforce is advising its customers to take several steps:
- Work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware.
- Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or virtual private network.
- Use SMS Identity Confirmation to add an extra layer of login protection when Salesforce credentials are used from an unknown source.
- Implement Salesforce#, which provides two-step verification, an additional layer of security. The app is available via the Apple App Store or Google Play store.
- Leverage Security Assertion Markup Language (SAML) authentication capabilities to require that all authentication attempts be sourced from your network.
Salesforce is encouraging businesses that believe they have already been infected with the Dyre malware to open a security support case on its website at help.salesforce.com. Salesforce representatives will then work with businesses to investigate the situation.
Although Salesforce is the current target of the Dyre malware, all businesses should be aware of it because it could easily spread to other types of cloud applications, Kantarovich said.
"Salesforce just happens to be the most popular one, but there are many other applications — such as Office 365, Amazon and many others — which hold sensitive information, and they will be targeted exactly in the same way," he said. "If you have a simple malware that you can spread out easily and infect multiple endpoints, it is very easy as a hacker to create multiple permutations to attack different domains."
Knowing that this type of malware could possibly spread elsewhere, businesses must ensure they are not only securing their Salesforce application, but all of their cloud applications, Kantarovich said.
In addition to using IP restrictions and multifactor authentications, businesses should consider a comprehensive solution to protect all of its cloud applications, Kantarovich said. These products can obtain details on the locations from which users log in to cloud applications, as well as the devices they typically use, in order to detect login anomalies and malicious users.
Originally published on Business News Daily.