Salesforce.com this week notified its customers that the Dyre malware, which typically targets customers of large financial institutions, might have been tweaked to target some Salesforce users as well.
There was no evidence that any Salesforce customers had been impacted, the company said, but if any customer should be affected, it would provide guidance.
Salesforce emphasized the malware was not exploiting any vulnerability within its system. Dyre resides on infected computer systems and steals user log-in credentials.
“Cloud providers take responsibility for protecting their applications from downtime and service-wide security breaches — not for security of user credentials and data, which remain the responsibility of the enterprise,” BitGlass CEO Nat Kausik told CRM Buyer.
Why Salesforce?
It is not surprising that a malware writer would target a cloud-based CRM system, said Ken Westin, security analyst for Tripwire.
They are optimal targets because they are easily accessed online and contain a great deal of information about a range of businesses, he told CRM Buyer.
“Downloading a customer list is an excellent start to a successful spearphishing campaign,” Westin noted. “All the information necessary to write an email that looks like it came from a trusted source is included in these databases.”
Other reasons include gaining access to sensitive business information, such as marketing campaigns, with the intent of selling it.
Salesforce’s Response
Salesforce is handling the possible threat to its customers by the book, said David Pack, director of LogRhythm.
“Since the malware in question resides on users’ endpoints, completely outside of Salesforce’s control, they certainly could have made the case that it’s not their problem,” he told CRM Buyer.
Instead, “they have been proactive in notifying the community of the threat, have provided guidance outlining ways to mitigate the threat, and have stated that they will notify customers if they suspect an actual compromise has happened. In short, they are sharing information, providing clear mitigation strategies, and committing to continued focus on their customer’s security.”
A Wake-Up Call
The incident is a wake-up call for cloud service providers and the companies that use them, said Kevin Jones, senior information security architect for Thycotic.
“Any business using cloud-based services needs to gain better control and visibility into activity around user credentials,” he told CRM Buyer. “Those credentials need to be changed often, using best security practices. IT needs to be able to manage passwords automatically, so they know when they’ve been changed, who in the organization is using them, and most of all, when they’ve been compromised.”
Also, IT should be educating staff on what phishing sites and emails often look like in order to mitigate future risk, Jones added.
“Often, IT or technically savvy IT admins take it for granted that a bank or a vendor would never email you asking for your password. Don’t assume that everyone in your organization knows this.”
That is not to say the cloud is on the brink of becoming a dangerous place for companies.
“Cloud security is improving all the time, with encryption of the stored data, two-factor authentication mechanisms, and intelligent monitoring systems that can identify activities that are aberrant,” Scott Chate, VP with Corent Technology told CRM Buyer.
“However, the cybercriminals are also reacting to every advance with new techniques and exploits of inevitable bugs,” he noted. “It’s a war where the enemy is largely unseen and hard to identify, as they are often far away in other jurisdictions.”