In a post on their help site Salesforce has announced a security alert for the Dyre Malware. While Salesforce claims that its systems are not infected, it asks users to be vigilant, and it is investigating further if their systems are affected.
In the post Salesforce says “On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. “
While Salesforce maintains there’s “no evidence that any of our customers have been impacted by this,” they are at least investigating and if they “determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”
As a first step, Salesforce suggests users work with their IT security teams to check that their anti-malware solution is capable of detecting the Dyre malware. They also suggest businesses to Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network Commenting on the potential breach, Bob West, Chief Trust Officer at cloud security firm, CipherCloud said “Dyre’s jump from the world of banking into the world’s largest CRM cloud reminds us that sensitive customer information is as valuable to cyber criminals as money. The malware targets user name and passwords and underscores the point that authentication alone is not enough. Personally identifiable information, research and development, account numbers and other sensitive information must be protected to minimise the impact of a breach. Encrypting information for cloud services and access monitoring can play a crucial role in proactively protecting information from unauthorised entities.”
The first signals of Dyre being circulated on the Internet were seen by researchers back in June, 2014. The malware is circulated via phishing emails in which the user was lured to click on a link to ostensibly download a file – typically an .exe or a .scr file that is zipped. Once installed, the malware applies a browser hooking technique to intercept traffic before it is encrypted, and redirects the traffic to a different website than the user intended.