A new computer Trojan may be targeting clients of Salesforce.com, the company announced in a security warning posted on its Web site. The malware, known as Dyre or Dyreza, appears to be a variation of the previously known Zeus Trojan, which had been known to target banking Web sites in search of financial accounts.
According to Salesforce, the vulnerability was discovered by one of its security partners on Sept. 3. The malware is designed to steal user log-in credentials and resides on infected customer systems.
Spreading Beyond Financial Institutions
The company said it was making the announcement as a precautionary measure.
“We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation,” Salesforce said in its warning. “If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”
Dyre is a specific type of Trojan known as a remote access Trojan. The malware works by bypassing SSL encryption, allowing the program to steal log-in credentials. The Trojan is designed to scrape business data from infected accounts. The Zeus variation was first discovered in June, when security researchers first warned that the Trojan had found a way to bypass Web encryption and had used that ability to attack Bank of America, Citibank, NatWest, RBS and Ulster Bank.
The threat does not appear to be limited to Salesforce. On the contrary, other cloud service providers are likely equally vulnerable to a Dyre attack. However, this is not the first time Salesforce has been targeted by such an attack: in February, the customer relationship management system provider was targeted by yet another Zeus variant that managed to steal corporate data through a user who had logged onto the service through an infected system.
Two-Step Authentication Recommended
Salesforce recommended that clients take the following precautions: activate IP Range Restrictions to allow users to access the Salesforce site only from clients’ corporate networks or VPNs, use SMS Identity Confirmation to add an extra layer of log-in protection when Salesforce credentials are used from an unknown source, implement the company’s 2-step verification process, which is available as an app via the iTunes App Store or Google Play for Android devices, and leverage SAML authentication capabilities to require that all authentication attempts be sourced from client networks.
“We recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware,” the company wrote on its Web site. Clients who believe they have been impacted by the malware are advised to contact security support. The company also recommends that Dyre’s signature be added to anti-virus software.
The Trojan typically spreads through phishing attacks. Once installed on a Windows machine, the program searches data sent from the machine’s browsers and transmits the data to the hacker. According to a report by the Register, the potential infection is unrelated to Salesforce’s outage last Friday.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
