Salesforce Customers in Dyre Straits After Malware Warning

Cloud giant has been forced to warn customers that remote access trojan (RAT) malware known as Dyre may be targeting their PCs to steal log-in credentials.

The SaaS pioneer noted in an advisory that one of its “security partners” had raised the alarm last Wednesday.

Dyre, also known as Dyreza, is more commonly associated with targeting financial institutions.

“We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance,” the note continued.

“This is not a vulnerability within Salesforce. It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems.”

Salesforce recommended its customers approach their IT security function to make sure current anti-malware defenses can deflect Dyre.

It added:

“If you believe you have been impacted by this malware and would like assistance from, please open a security support case at, selecting security as the product topic, and our team will work with you to investigate this issue.”

The on-demand software player also recommended customers make use of several existing features in its platform, including 'IP Range Restrictions' to ensure users can only log-in from corporate networks or VPNs; and two-factor authentication via the Salesforce app and SMS Identity Confirmation feature.

Jérôme Segura, senior security researcher at Malwarebytes, warned that this could be the first of many attacks aimed specifically at SaaS customers, as third party online software becomes increasingly mission-critical for businesses.

 “Banking credentials are still the bread-and-butter for the majority of cyber-crooks because they can be immediately used,” he added.

“But the data harvested from many SaaS applications also holds a tremendous value for those willing to invest the time to dig in and find bits of information that could lead to a large compromise in a top-tier business.”

A “healthy balance” of end-user education about phishing plus “proper end point security” will help mitigate the risk of attack.

“Data exfiltration is one the most important issues of 2014 with a growing number of businesses being affected,” Segura said. “The effects on companies’ brands and trust of their customers can be very damaging and long lasting, not to mention the potential lawsuits that often follow.”

However, Adallom vice president of strategy Tal Klein claimed that the threat is “almost completely impotent with regard to Salesforce.”

“Since the package contains a list of URLs being targeted, it looks like the creators of this variant simply added URLs to the target list because it was easy – but unlike banking credentials, we’re not currently aware of any cybercrime stores selling credentials, which is a telling indicator,” the firm added in a blog post.

What’s Hot on Infosecurity Magazine?