"On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users," the company said in a statement.
"This is not a vulnerability within Salesforce," the company noted. "It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected computer systesm."
All users are advised to work with their IT security teams to ensure that their anti-malware solutions are capable of detecting the malware. Salesforce.com is also recommending that all users leverage the following platform security capabilities:
- Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN
- Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
- Implement Salesforce#, which provides an additional layer of security with two-step verification.
- Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network
The Salesforce.com alert also links to a recent eSecurity Planet article on the discovery of the Dyre or Dyreza malware, which offers advice on mitigating the threat.
Malwarebytes senior security researcher researcher Jerome Segura noted by email that Dyre usually infects users through social engineering -- usually an email containing a malicious attachment. "Once on the system, the malware can act as a man-in-the-middle and intercept every single keystroke," he said.
Segura added that Salesforce.com's warning could herald a new trend of hackers targeting software-as-a-service (SaaS) users. "Banking credentials are still the bread-and-butter for the majority of cyber crooks because they can be immediately used," Segura said. "But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business."
And Neohapsis security consultant Patrick Thomas said by email that targeting SaaS users is a logical next step for this type of malware. "Often, compromising a computer is a means to an end: criminals really want the data that lives on them," he said. "As individuals and companies move more of their data to the cloud, credentials to the critical cloud services we rely on become more valuable and more of a target."
"The compromise and collapse of CodeSpaces back in June demonstrates how critical third party cloud vendors have become to our business models," Thomas added. "Organizations should make sure to incorporate these services into their security thinking: while the technology may not be on the premises, it is just as important to consider traditional concerns about risk, strong authentication, and auditing."
"Critical cloud accounts should require two factor authentication as a matter of course," Thomas noted.