Dyre Malware Targets Salesforce Users

The Dyre malware, which was discovered in June targeting a number of banks and other financial institutions, now appears to be setting its sights on Salesforce, with the company informing customers the virus has been attempting to steal log-in credentials.

The SaaS vendor stresses this is not a flaw with Salesforce itself but rather a type of malware that impacts infected end-user machines. It initially infects users with some sort of social engineering, such as a malicious attachment, and once in the system is able to record every single keystroke.

Salesforce has issued a list of recommendations for customers to minimise their risk from Dyre and says it currently has no evidence of any users being impacted.

Salesforce Dyre

“If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” Salesforce said in an email to customers. “This is not a vulnerability within Salesforce. It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems”

The company is urging firms to ensure their anti-virus software is capable of detecting Dyre and recommends activating IP range restrictions so the platform is only accessible from a corporate network or VPN. Additionally, it says customers should use SMS verification and the Salesforce# smartphone application for additional protection.

Dyre is a form of Remote Access Tool (RAT) malware that originally targeted the likes of RBS, Natwest and Bank of America. It was able to steal login details, circumvent SSL encryption and two factor authentication through a technique known as “browser hooking.”

SaaS attacks

Researchers at Malwarebytes say banking will always be the primary focus for such malware, but say the rise in cloud-based applications can be particularly valuable for a hacker willing to invest the time as such attacks could compromise a large business. The security firm suggests Dyre’s new focus could herald a new kind of attack, one that goes for SaaS users.

“There is no silver bullet to defend against these threats but once again a healthy balance of end-user education about phishing scams and proper end-point security solutions will go a long way,” say the researchers. “Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected.

“The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.”

Salesforce adds that any customer who fears they may have been impacted should open a security support case with its team.

How well do you know network security? Try our quiz and find out!