Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins
But attacks weren't the cause of server outage, we're told
Salesforce has warned that miscreants are trying to infect its customers with a remote access trojan (RAT) dubbed Dyre that siphons off Salesforce.com login data.
"On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users," an advisory states.
"We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance."
The advisory points out, correctly, that this isn't a flaw in Salesforce's software per se, but that the malware, which had previously targeted online banking, is now being used against the cloudy CRM firm's customers. Once it's installed on a Windows PC, usually via a phishing attack, the software nasty then looks out for data sent from web browsers – even SSL-encrypted data – and siphons it off to its masters.
Salesforce recommends users make sure malware's signature is added to antivirus software and that IT admins restrict the range of IP addresses users can log into Salesforce servers from. Adding two-factor authentication is also suggested.
Sources familiar with the matter said that the malware was not a factor in the outage Salesforce suffered on Friday. That incident has now been resolved and Saleforce's status page now shows all instances working as they should.
What is curious about the warning is the motive for trying to get at Salesforce's customers using the Dyre malware. The sophisticated code, first discovered in June, tried to crack two-factor authentication and conduct man-in-the-middle attacks to hijack victims' accounts, but has almost exclusively targeted the lucrative banking sector.
It could be that persons unknown have bought a copy of the malware and are using it for a CRM-specific attack. If so that would be an unpleasant first for the firm, and one that could have very negative consequences for its image. ®