The Digital Operational Resilience Act (DORA) is a European Union regulation crafted to boost the operational resilience of financial institutions. It ensures they can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks. It mandates rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). The regulation applies as of 17 January 2025.
What’s the purpose of DORA?
DORA aims to ensure EU financial institutions can effectively manage and mitigate ICT risks, diminish the impact of cyber threats, and sustain business continuity during disruptions.
Who does DORA apply to?
DORA applies to the majority of financial institutions operating in the EU. It covers a broad spectrum of financial entities, such as banks, investment firms, payment service providers, insurance companies, and ICT third-party providers like cloud services that support financial institutions.
DORA’s ICT risk management framework mandates that a firm’s management body bears ultimate responsibility for managing ICT risks, setting and approving the digital operational resilience strategy, and approving policies related to the use of ICT Third Party Providers (TPPs), among other duties.
How does DORA change the current regulatory compliance?
There have been previous guidelines similar to DORA such as 2019 EBA Guidelines on ICT Security and Risk Management and the 2020 EIOPA Guidelines on ICT Security and Governance. However, as DORA is primary legislation, the level of supervisory scrutiny that firms are subject to is now increasing significantly.
Key requirements for financial entities:
ICT risk management: Financial entities must develop robust governance and control frameworks to manage ICT risks. This includes risk identification, protection measures, system monitoring, and incident recovery.
Incident reporting: Entities are required to report significant ICT-related incidents to authorities to enhance oversight and facilitate a coordinated sector response.
Testing and audits: Regular testing, including penetration tests and security audits, is mandatory to identify and address vulnerabilities.
Third-party risk management: Financial institutions must ensure that third-party ICT providers adhere to equivalent standards, including conducting thorough due diligence for outsourcing critical functions.
DORA compliance and Salesforce security
DORA mandates comprehensive oversight across critical business areas, focusing on firm management’s accountability for ICT risks. It includes crafting a digital operational resilience strategy and managing ICT Third Party Providers (TPPs). Breaches could lead to penalties enforced by competent authorities.
Salesforce is a cloud-based platform that is critical to many financial organizations and their operations. The financial entity will need to ensure that their use of Salesforce complies with DORA’s requirements regarding ICT risk management, third-party oversight, incident reporting, and testing.
As a leading CRM provider, Salesforce has already taken steps to ensure that the platform’s data governance aligns with DORA – along with other data protection regulations. Collaboration with partners like WithSecure™ is part of Salesforce’s commitment to trust and security according to Natalie Pope, Lead Solutions Engineer at Salesforce: “DORA is an important step in elevating our offerings to financial services customers, ensuring data and operational resilience are at the forefront their business goals and company ethos. Our collaboration with partners like WithSecure™ demonstrate Salesforce’s commitment to our number one value of trust, allowing us to offer robust and compliant solutions as part of a trusted digital infrastructure.”
Key actions to secure Salesforce and comply with DORA
New DORA regulation impacts all SaaS products, including Salesforce. When it comes to Salesforce security and risk management, financial institutions should take action in the following areas:
Set up ongoing auditing practices to continually assess security risk related to Salesforce and other services connected to it. Implement proper security measures to remediate any gaps.
Develop and refine incident management strategies to ensure prompt detection, reporting and resolution of issues. Implement security measures directly for Salesforce that support your strategy.
Review and update contracts with ICT providers to meet DORA standards.
In which Salesforce DORA obligations can WithSecure™ Cloud Protection for Salesforce help
WithSecure™ Cloud Protection for Salesforce stops malware and phishing threats on Salesforce in real-time. It helps financial organizations meet their DORA obligations on Salesforce in the following areas:
DORA mandate for incident reporting:“Financial entities shall report major ICT-related incidents to the relevant competent authority”, “Financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.” (Chapter 19, Article 1)
DORA mandate for detection capabilities:“Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.” (Chapter 2, Article 10)
DORA mandate for incident management: “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” (Chapter 17, Article 1)
How WithSecure™ Cloud Protection for Salesforce helps financial organizations meet their DORA obligations
WithSecure™ Cloud Protection for Salesforce helps financial institutions detect anomalies such as malware and phishing threats on Salesforce. It provides real-time monitoring capabilities into cyber threats and incidents across the Salesforce environment. It empowers financial institutions with automated threat remediation capabilities, along with prompt alerts.
WithSecure™ Cloud Protection for Salesforce’s native reporting features support incident reporting to authorities, as mandated by DORA. Reports offer vast details about the threat, who has interacted with it, and when. This not only enables sufficient reporting to authorities, but also speeds up incident management process significantly. Without the reporting tools with full event logs and forensics trails, investigating a malware outbreak is costly and time consuming.
While remediating the immediate threat of malware, solutions like Cloud Security Access Brokers (CASBs) can introduce more risk by adding vulnerable integrations and data flows to the mix. For this reason, we built the natively integrated, minimally vulnerable and simplified AntiVirus and AntiPhishing solution WithSecure™ Cloud Protection for Salesforce. With this simplified and seamless approach, financial institutes can mitigate risk without invertedly adding more in the process. You can deploy the native security layer in minutes and strengthen your compliance instantly.
WithSecure™ Cloud Protection for Salesforce is built with 30+ years of cyber security experience in close collaboration with Salesforce. The solution has achieved ISAE 3000 Type 2 certification (international equivalent to SOC 2 Type 2), and WithSecure™ is ISO 27001 certified, proving the resilience of operations in accordance with DORA’s third-party risk management agenda.
Ensure Salesforce DORA compliance
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes. Comprehensive reporting capabilities help you meet DORA incident reporting requirements.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Phishing is not confined to email but is a pervasive threat across our digital infrastructure. Salesforce, with its extensive cloud applications and public-facing nature, is emerging as a prime target for such cyber threats. Comprehensive phishing defenses should include Salesforce as an attack vector.
Phishing attacks have evolved but so have email defenses
While 41% of cyber attacks use phishing tactics, an alarming 26% of these attacks now exploit public-facing applications (like Salesforce), according to IBM’s report. Furthermore, 16% of phishing attacks misuse valid accounts.
Email, the traditional stronghold against phishing, has long been hardened through anti-malware and anti-phishing tools combined with consistent user education, with many providers offering built-in defenses and organizations adopting phishing simulation training. These measures have significantly heightened user vigilance and reduced the click rates on malicious emails.
How Salesforce becomes the entryway for cyber criminals
Salesforce serves as a central hub for diverse interactions across Sales, Service, and Experience Clouds, presenting multiple avenues for cyber threats. Each user interaction, whether from internal or external sources, could potentially introduce malicious content. Salesforce is vulnerable to the same types of attacks that have plagued email for decades.
Internal users frequently engage in routine activities like uploading documents and sharing URLs. For example, a sales representative might attach a contract embedded with malware in Sales Cloud, or a support agent may inadvertently attach a compromised troubleshooting guide in Service Cloud. Similarly, community managers in Experience Cloud might share links that lead to malicious sites.
The risk also involves unauthenticated users such as customers or potential leads who upload attachments in support cases or via Web-to-Lead forms. These necessary business interactions, if unchecked, provide easy entry points for cybercriminals.
Furthermore, authenticated users on Experience Cloud portals often share significant project files or access collaborative spaces, unintentionally spreading malware. The integration of APIs, which connects Salesforce with external systems like ERP software or tools like Slack, adds another layer of vulnerability. Each data transfer across these connections is a potential breach point.
Salesforce security falls short of email security standards
However, the security measures guarding Salesforce have not evolved at the same pace. There are no built-in anti-virus, anti-phishing, or basic spam filters that are standard in email services. This oversight leaves an obvious hole in cybersecurity strategies.
“Salesforce, often overlooked as an attack vector, presents a significant vulnerability in too many cyber security strategies,” notes Anssi Korpilaakso, Director of Sales and Business Operations at WithSecure™. “Our product backend has registered a steady increase in malware and phishing detections on Salesforce in the recent years.”
Salesforce users typically perceive Salesforce as a trusted tool, and are less likely to anticipate or recognize a phishing attack on the platform compared to email. This sense of trust is exactly what attackers who use psychological phishing schemes exploit.
Email: lessons for multi-layered Salesforce security
As cyber criminals continue to refine their strategies and target systems beyond traditional attack vectors like email, organizations must protect every entry point, including Salesforce. Learning from the widely adopted email security measures and applying these lessons to Salesforce helps fortify your digital infrastructure against dynamic cyber threats.
To tackle phishing effectively, you must adopt a multi-layered defense strategy that goes beyond email and encompasses Salesforce, your business critical platform. Here’s how you can start:
User training: Just as with email, the first line of defense is user awareness. Training users to recognize phishing attempts in Salesforce is crucial, as the platform’s familiar and trusted environment may lower their guard against suspicious activities. Although user education is important, you should not expect your Salesforce users to act as phishing detectives.
Integrate real-time threat protection: Given the lack of built-in anti-phishing and anti-malware features in Salesforce, integrating advanced security solutions that can provide real-time threat protection is essential. Solutions like WithSecure™ Cloud Protection for Salesforce offer tailored security measures that fit seamlessly into Salesforce, enhancing security without disrupting user experience.
What to consider when choosing the solution
When selecting a threat protection solution for Salesforce, you should prioritize efficiency, comprehensive coverage, and advanced detection capabilities that match today’s sophisticated cyber threats. Considerations for calculated decision-making:
Prioritize solutions that add minimal complexity and avoid vulnerable integrations, focusing on native, straightforward security layers.
Choose solutions that protect not only internal users but also mitigate the risk of malware spreading to customers and partners interacting with Salesforce by scanning uploads and downloads across various user types.
Consider the evolving nature of threats, such as documents that contain latent phishing links, which may turn malicious after being uploaded to Salesforce, and after the initial scan at the point of upload. Opt for solutions that provide real-time protection, scanning content like files and URLs during all user interactions, not just at the point of upload.
Ensure the solution offers real-time scanning and advanced behavioral analysis to detect embedded malware in seemingly benign documents, moving beyond traditional signature-based methods.
Select solutions that encompass all Salesforce entry points, including custom objects in addition to standard objects, to ensure comprehensive coverage.
Look for deep detection capabilities that can scan for malicious phishing links not only in text and emails but also within files, detect phishing links hidden behind QR codes, and identify zero-day malware in files as well as known threats.
WithSecure™ Cloud Protection for Salesforce eliminates risk of human error in real-time
Robust security measures equivalent to enterprise-grade email security help you experience the full potential of Salesforce without hidden risks. WithSecure™ delivers an advanced antivirus and antiphishing solution tailored uniquely for Salesforce. Developed in collaboration with Salesforce, WithSecure™ Cloud Protection for Salesforce meets the stringent requirements of highly regulated industries and government entities. You get real-time defenses against malware, ransomware, viruses, and phishing attacks, along with full security visibility for threat hunting and incident response. Multi-layer scanning ensures that every entry and touchpoint – from the Sales Cloud negotiations to Service Cloud interactions and Experience Cloud engagements – is covered.
Native integration ensures rapid deployment and comprehensive security without disrupting your existing Salesforce workflows.
Don’t let human error become your vulnerability in Salesforce security – especially when there are straightforward technologies to mitigate the risk. Whenever you are ready to take the next step, our team is ready to guide you in your Salesforce security.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Parking scams using fraudulent QR codes have been wreaking havoc in popular tourist cities across Europe and North America recently. Have you ever considered that malicious QR codes could infiltrate your Salesforce? Read on to learn what QR code attacks look like, why Salesforce is an attractive target for them, and how you can stop them.
The rise of quishing
It’s not long since Police Service of Northern Ireland (PSNI) Cyber Crime Centre, posted a notice about malicious QR codes in phishing attacks. Quishing, or QR code phishing, involves the deceptive use of QR codes to lure unsuspecting individuals into visiting malicious websites. There they are tricked to reveal personal credentials, or unknowingly download malware. QR codes are used for everything from restaurant menus to ticket validations. At the the same time, cybercriminals have found ample opportunities for exploitation. Distinguishing between legitimate and fraudulent QR codes is difficult for human eyes. Fortunately, there are preventive security technologies – now also for Salesforce.
Examples of quishing attacks in the wild
A typical quishing email might mimic an official communication from a known corporation. It can for example urge the recipient to scan a QR code to handle something urgent, like reset a password or verify an account.
Another method involves embedding a QR code inside a seemingly innocent message related to work processes like payroll or security updates. One of the recent examples targeted a major energy company in the US with a campaign that imitated a Microsoft security notification.
On the other hand, scammers have also found ways to abuse QR codes scams in public spaces. Such example is the recent QR parking scam in popular tourist cities across UK. The scam involves malicious QR codes, often placed on parking meters, that direct users to phishing websites. Unsuspecting victims enter personal information, including payment details, under the guise of paying for parking. As a result, they potentially face double trouble with both financial fraud and a parking ticket.
10,000 victims have already fallen for the said parking scam in a matter of two months. Therat actors have launched similar campaigns across Europe, United states and Canada. These scams often target tourists who are not familiar with the local parking apps, thus easier to deceive.
The quishing attack kill-chain
In the digital world, quishing typically begins with a QR code sent via email or text. The recipient then scans the code with a mobile device. The victim is then redirected to a harmful site.
The phishing site typically mimics a legitimate business resource, login page, or document portal. The page then prompts the employee to enter their credentials or download a file.
By entering their credentials, employees inadvertently provide attackers with access to their corporate accounts. Attackers can use the credentials to harvest sensitive information or launch an attack within the organization.
The process capitalizes on the established trust in QR codes. QR codes are handy to roll out covert operations. Quishing attacks are often harder to detect than traditional phishing attacks, or ones with the malicious link plainly imbedded in the message text. As these codes simply appear as nondescript, benign images, they bypass usual text-based URL scans implemented by most email and collaboration security systems.
QR code phishing tactics:
Integration in familiar platforms: Quishing often uses popular platforms to reach a broad audience, and to exploit trusted services and brand names to increase the success rate of attacks.
Sophistication in execution: By embedding malicous QR codes within messages, attackers can bypass conventional security measures which might not scan URLs embedded in images.
The psychological play: The decision to scan a QR code often happens impulsively, thanks to the established norm of their use in safe contexts. This impulsivity is what quishers count on, reducing the victim’s likelihood of pausing to consider the potential dangers.
What makes QR code phishing especially tricky on Salesforce
All in all, malicious QR codes pose a significant threat to enterprises, and when delivered through platforms like Salesforce, they can be particularly effective and damaging. Here’s why Salesforce is a lucrative vector for such attacks, and why you should secure your platform without delay:
High trust environment
Users view Salesforce as a trusted platform for daily tasks in sales management, and customer support. Employees are less vigilant about scrutinizing communications received through this platform, assuming a baseline level of security and trust. This trust can make QR codes sent through Salesforce particularly effective as employees may be quicker to scan them without suspicion. The scam itself could even leverage Salesforce’s brand identity. QR codes also employ common and seemingly harmless image types, decreasing suspicions.
Widespread use in organizations
Especially large enterprises use Salefsorce widely, which provides a broad attack surface. Malicious QR codes distributed through Salesforce can potentially reach a large number of users quickly, making it the attackers dream.
Mobile device engagement
Salesforce is frequently accessed via mobile devices, which aligns well with the nature of QR code scanning. Mobile devices are often less secure than desktops, with users typically having weaker security controls and being more prone to overlook security prompts when they are on the move. If bring-your-own-device (BYOD) is allowed, the mobile device may be a personal unmanaged device, with even weaker security measures in place.
No antiphishing blocking the way
While Salesforce offers robust security features, there are no antiphishing capabilities by default. There likely is no layer of protection in the Salesforce environment to detect or prevent the distribution of malicious QR codes, opening a pathway for the attackers.
You need more than awareness to prevent Salesforce QR code quishing
While educating users about the potential threats of randomly scanning QR codes is without a doubt important, true prevention requires a multifaceted approach:
Advanced threat protection: You should implement antiphishing security solutions that can recognize and examine QR codes within Salesforce uploads, analyzing the linked URLs for malicious content before they reach end users.
Regular security audits: Incorporating QR code-based phishing into routine security audits and risk assessments helps identify and remediate security gaps. Make sure to ensure that Salesforce is covered thoroughly in security audits.
Limit access privileges: Although Salesforce has enforced multi-factor authentication for MFA for internal users, it’s wise to limit access rights to what a user’s role requires, and follow the least privilege approach.
Update software and configurations: Ensure all integrations are updated with the latest security patches, and verify that your antiphishing scanning solution is properly configured to detect malicious QR codes.
Limit use of BYOD: Some of the biggest vulnerabilities lie when employees use personal devices outside corporate security measures to access phishing sites that harvest account credentials.
Educate Salesforce users: Continuously educate users about the risks associated with QR codes, emphasizing the need for vigilance even when using trusted platforms like Salesforce.
Block malicious QR codes on Salesforce automatically
You need a blend of vigilance and advanced security solutions to prevent covert phishing tactics like quishing. Luckily you can protect your data and Salesforce users from these hidden scams behind simple scans. WithSecure™ Cloud Protection for Salesforce scans malicious URLs in Salesforce text fields, behind QR codes and within uploaded documents. Our AntiQuishing feature was built as a response to a real-life phishing attack that our enterprise customer faced, where Salesforce was the target of malicious QR codes.
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
This time our threat landscape focus is on ransomware and its implications for cloud services, specifically Salesforce. With attackers increasingly targeting cloud services and public-facing apps, and a 366% increase in malicious file detections on Salesforce in Q2 2024 compared to Q2 2023, ransomware is not a threat to be taken lightly in any Salesforce security strategy.
Cyber threat landscape shifts toward cloud and SaaS exploitation
Cyber threat landscape is seeing an increased focus on the cloud. Attackers have recently leveraged legitimate file transfer and cloud services to facilitate their operations more and more. These services offer a low-key and cost-effective infrastructure which tends not to trigger security alerts as some more traditional methods might.
Symantec’s Threat Hunter Team has recently identified three new espionage operations utilizing cloud services and has uncovered additional malicious tools in development:
GoGra (Trojan.Gogra): Targets a South Asian media organization using Microsoft’s Graph API for C&C communications via email, encrypting messages with AES-256. Developed in Go, active since November 2023.
Firefly Tool: Used by the Firefly group to exfiltrate data from a Southeast Asian military organization. It searches for and uploads .jpg files (actually encrypted RARs) from System32, using Google Drive.
Trojan.Grager: Targets entities in Taiwan, Hong Kong, and Vietnam, using Microsoft’s Graph API via OneDrive for C&C. Distributed through a Trojanized 7-Zip installer, linked to the UNC5330 group.
MoonTag: A developing backdoor associated with a Chinese-speaking actor, noted for its use of the Graph API and discussed in a Google Group.
Salesforce and SaaS applications are targets of UNC3944 threat group
Salesforce and SaaS are becoming more prevalent in the threat landscape. Google Threat Intelligence has observed the activities of UNC3944, a financially motivated threat group that has been active since at least May 2022, and has recently targeted SaaS applications. Initially focused on credential harvesting and SIM swapping, UNC3944 has since shifted to primarily conducting data theft extortion, expanding their target industries and utilizing fearmongering tactics for access. They’ve adapted their methods to include theft from SaaS applications to attacker-owned cloud storage and have employed various advanced techniques to facilitate their attacks.
UNC3944 accessed Salesforce among other SaaS applications using stolen credentials facilitated by single sign-on systems. They conducted reconnaissance within these platforms, likely targeting data for exfiltration, and using third-party cloud synchronization tools like Airbyte and Fivetran to transfer data to external cloud storage.
Key Tactics, Techniques, and Procedures (TTPs) of UNC3944:
Social engineering: They have successfully manipulated corporate help desks using victims’ personal information to gain access to privileged accounts and bypass multi-factor authentication (MFA).
Abuse of SaaS permissions: UNC3944 exploited permissions in applications like Okta to broaden their access within targets’ systems, encompassing both on-premises infrastructure and cloud-based applications.
Virtual machine compromise: The group has created new virtual machines using administrative privileges obtained through SSO applications, using them for subsequent malicious activities and to bypass traditional security controls.
The use of cloud services by attackers is becoming a preferred method for maintaining stealth and managing cost-effective operations. The attackers are learning from each other, adopting successful techniques across various espionage and cybercriminal groups. Extensive coverage of cloud and SaaS environments in security strategies has never been more critical.
Disney moves away from Slack after a data breach of 1 TB – likely caused by a human error
In a major data breach, Disney experienced a significant compromise of corporate data, possibly due to vulnerabilities on an employee’s personal gaming computer. This breach led to the downloading of over 1TB of data through Slack, which resulted in the suspension of the platform for internal communications.
Our team doesn’t have the forensics data of the case, but some experts claim that the breach was not a direct result of flaws in Disney’s or Slack’s systems. Instead, it allegedly occurred because an employee inadvertently installed a malware-infected game modification. This malware, an Information Stealer, captured credentials and accessed Slack, where it exploited the employee’s compromised computer. The lack of Multi-Factor Authentication (MFA) on the password vault allowed attackers to access vast amounts of sensitive data easily.
Some experts suspect that the attackers were helped by an insider, and others that the breach was a result of a general lack of defensive mechanisms at Disney’s end.
A teenager leveraged Slack and stole details about unreleased GTA 6 from the gaming company Rockstar in 2022. The attacker was sentenced to life.
In 2023, another threat actor exploited access to Slack channels to initiate a malware attack on MGM Resorts, a major global casino and resort.
Almost half of ServiceNow KB instances leak sensitive data
A study by AppOmni revealed that over the past year nearly 45% of ServiceNow Knowledge Base (KB) instances were leaking sensitive data, including personal identifiers, internal system details, and live system credentials. The culprit of these breaches were outdated or misconfigured access controls. This is possibly due to widespread misunderstanding of KB access controls or replicating misconfigurations across instances.
Despite ServiceNow’s 2023 security updates aimed at restricting unauthenticated data access, many of these updates were ineffective for KBs, which often contain highly sensitive internal data. The company has responded by collaborating with customers so that KB access control misconfigurations are fixed.
The disruption has led to a sharp decrease in the number of victims, with reported cases falling to single digits. Despite these setbacks, there have been notable attempts to revamp their operations. For example. they have made experimental changes to their data leak sites (DLS) and updates to their DDoS protections. These maneuvers suggest a strategic recalibration aimed at evading detection and sustaining their criminal activities.
Despite significant law enforcement interventions, the Lockbit group’s ability to adapt and attempt to rebuild its infrastructure is indicative of the resilience and persistence of modern ransomware operations. These groups are quick to learn from interventions, often emerging more sophisticated and harder to combat.
Ransomware-as-a-Service is the business model of cyber crime in 2024
The disruption on major ransomware groups has led to a reshuffling of ransomware affiliates, gravitating towards established Ransomware-as-a-Service (RaaS) networks. RaaS is a subscription-based model that enables affiliates to use pre-developed ransomware tools to execute cyberattacks. Similar to software-as-a-service (SaaS) offerings, RaaS providers offer their malicious software on a rental or commission basis, providing updates and support.
All in all, the professionalization of ransomware operations through RaaS models presents new challenges for cybersecurity defenses. These models facilitate a lower barrier to entry for inexperienced cybercriminals and enable rapid scaling of operations. The attraction of RaaS platforms has flooded in new ransomware variants, correspondingly calling for layered defense strategies.
New threats on the block: new groups form as old dismantle
Our research team has also witnessed the rise of new players such as Cicada3301, SenSayQ, and WikiLeaksV2. Each group has demonstrated distinct patterns of targeting and victimology, such as targeting financial software companies and leaking sensitive health sector data. With this in mind, these emerging groups underscore the dynamic nature of the ransomware ecosystem. They continually evolve with new tactics and targets.
The group dynamics are in a constant flux. For example, from the total number of 67 operational ransomware groups our research team has tracked in 2023, 31 have not been operational in Q2 2024. Our team has seen 31 new ransomware groups in 2024. It’s unlikely that many, if any of these projects will survive.
RansomHub’s fast advancement and aggressive affiliate strategy
RansomHub, a new extortion platform operational since early 2024 and believed to be based in Russia, has quickly established itself by offering lucrative terms to affiliates, significantly impacting the ransomware affiliate market. RansomHub is disrupting the RaaS field by letting affiliates accept payment from the victims directly, before sending their share to the RansomHub. What’s more, by allowing affiliates to keep a major portion of the ransom and only taking a small commission, RansomHub has managed to attract experienced groups like ScatteredSpider and members of Lockbit.
RansomHub’s operational capacity, threat level and the number of victims have consequently increased. According to our research team, RansomHub is in fact currently the most active platform observed in the field. In the same fashion, ZeroFox accounts the platform to be responsible for 14.2 % of all cyber attacks in Q3 2024. The majority of victims are in North America (39.4%) and Europe (34.3%). Victims are across diverse sectors, for example manufacturing, retail, healthcare, technology.
At the same time, CISA, along with the FBI, MS-ISAC, and HHS, issued a joint Cybersecurity Advisory on RansomHub Ransomware. This advisory offers network defenders key details such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) tied to RansomHub, drawing on findings from recent FBI investigations and third-party reports.
RansomHub has been using sophisticated EDR-killing executable tooling. It disables endpoint detection and response (EDR) software and gains escalated privileges on compromised devices, while designed to bypass several common anti-malware tools. The malware has been found in many formats such as EXEs and PowerShell scripts.
Real-life impacts of ransomware fallouts
Financially driven ransomware attacks can have notoriously severe impacts on victims. Overall, our research team has found that ransom payments and incidents remain higher in the first half of 2024 compared to previous years.
Dark Angels behind a record ransom payment
In early 2024, Zscaler and Chainalysis detected a monumental ransom payment of $75 million directed to a cryptocurrency wallet managed by the Dark Angels ransomware group. The identification of the victim was not disclosed as per standard reporting practices, but it is strongly suggested that the payor was Cencora, a Fortune 50 pharmaceutical company. Why so? Cencora publicly acknowledged a ransomware attack and data theft in February 2024, making them a probable candidate. The company, valued at $10 billion with annual revenues reaching $262 billion in 2023, found the payment necessary to restore operations and prevent further data leaks.
Further investigations reveal that the attack’s ramifications extended beyond Cencora. The company, along with at least two of its subsidiaries, reported stolen data to regulators, implicating a broader network of affected entities. In May, additional disclosures indicated that the data breach had impacted numerous major pharmaceutical companies including Pfizer, Bayer and Novartis, among others. These partners also experienced breaches connected to Cencora’s compromised systems, specifically through the Lash group subsidiary.
The sizable ransom from this single incident highlights Dank Angels’ impact. The strategy employed by Dark Angels suggests a focus on high-value targets – often termed “big game hunting” – which involves fewer, highly profitable attacks rather than numerous smaller-scale ones. It’s difficult to say whether Dark Angels have an intentional strategy of big game hunting, or if they just got lucky.
There were no major outages or operational disruptions reported (at least so far). However, the widespread effects of this attack, involving a network of companies with a combined revenue in the trillions, illustrate the extensive potential for damage and disruption caused by ransomware operations targeting major players in critical industries.
Japanese media giant’s market value plummets in the ransomware attack aftermath
Another example, the ransomware strike on Japanese media company Kadokawa Corporation served as a stark reminder of the broad and enduring impacts such attacks can have on businesses. The assault not only disrupted daily operations but also inflicted severe financial and reputational damage. Prior to the attack in early June, Kadokawa’s market value stood at approximately JP¥465 billion (USD$3 billion). Following the incident, its share price plummeted by 15%. Subsequently, this erased JP¥70 billion (USD$500 million) from its market capitalization. This significant drop in share price, which appears solely attributed to the ransomware attack, underscores the high stakes of cybersecurity in protecting not just operational capabilities but also financial stability and public perception.
Public health at stake
The National Health Laboratory Service (NHLS) of South Africa suffered a ransomware attack on June 22nd. The attack continued to disrupt services into July. This attack has been particularly critical as it hindered access to laboratory test results amid an outbreak of mpox disease. This incident demonstrates how significantly ransomware impacts public health and safety of citizens globally.
To pay or not to pay
Ransomware groups often aim to build trust with victims by promising data recovery upon ransom payment, giving false hopes that this will restore normal operations. Ransomware operators often brand themselves as ‘pentesters’ with the intention to appear professional and reassure victims about data deletion and decryption.
Despite this, the majority of organizations paying ransoms suffer subsequent attacks, often facing even higher demands than before. Cybereason reaserch claims that percentage of victims facing a second attack is as high as 78%.
Ransomware operators are unreliable and their assurances of not targeting victims again should not be trusted. Therefore, paying a ransom based on trust in these actors is not advisable. Acknowledging research that quantifies the deceitfulness of ransomware actors is crucial, as it together with prohibiting legislation significantly influences the ransomware landscape.
Salesforce security implications of the current threat landscape
The emergence of new ransomware groups and the evolving tactics suggest that Salesforce environments are likely to be increasingly targeted as an alternative to traditional and easier to detect vectors. In fact, we’ve detected a 366% increase in malicious files on Salesforce in Q2 2024 compared to Q2 2023.
For Salesforce, it’s important to stay vigilant against ransomware campaigns that leverage Salesforce as a channel for malware delivery or social engineering tactics to lure users to phishing sites. Besides human errors, novel campaigns can target vulnerabilities in cloud environments or through third-party integrations.
Salesforce security recommendations simply put
Constantly transforming threats require a layered and proactive approach to cybersecurity. No silver bullets. Because of that, we’ve compiled a comprehensive list of Salesforce security recommendations in light of recent cyber crime developments:
Auditing: Activate comprehensive auditing that covers cloud environments including Salesforce to identify and patch security gaps.
AntiVirus: Threat protection such as WithSecure™ Cloud Protection for Salesforce solutions at the entry-point such as Salesforce together with endpoint security will block the majority of file-based ransomware threats. Make sure that the solution has up-to-date threat intelligence source.
Employee training and awareness: Social engineering remains a significant threat vector. Training Salesforce users to recognize phishing attempts and other social engineering tactics is critical.
AntiPhishing: By implementing an antiphishing solution on Salesforce level, you can automatically stop phishing attacks. It’s important to go beyond traditional attack vectors like email.
Strengthened access controls: Enforce strict conditional access to mitigate credential compromise. Salesforce environments should adopt the principle of least privilege. Routinely audit permissions.
Third-party risk management: As Salesforce often integrates with numerous third-party applications, ensuring these connections are secure is essential to prevent ransomware spread or data leaks. You should choose security tools based on integration simplicity, preferring native solutions.
Data management policies: The revelation that Lockbit held onto data it claimed to have deleted is a crucial reminder of the risks involved in data handling and storage. You should implement robust data encryption, regular audits, and follow strict data handling and deletion protocols to minimize potential damage.
Limit BYOD: The breach of Disney’s Slack data resulted from a malware infection on an employee’s personal device – a reminder to limit allowing personal devices into corporate systems.
Extortion preparation and response: You should include Salesforce in incident response strategies. This means close collaboration between security and Salesforce teams, having secure and tested Salesforce backups and a clear communication plan for dealing with ransom demands.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
WithSecure Cloud Protection for Salesforce Orion 2.5 introduces defenses against malicious QR codes, fortifying your Salesforce defenses against URL-based cyber threats. It also makes warding off URL-based cyber threats within Salesforce easier than ever by enhancing custom objects and fields scanning. Previously introduced in Orion 2.4, URL scanning in custom objects and fields is now simple to configure straight from the UI, eliminating the need for Apex code.
What’s new in Orion 2.5:
QR code scanning against quishing attacks
URL Protection across custom fields and objects now offers straightforward configurations from the UI
Enhanced digital fingerprinting of files sharpens detection accuracy without impacting performance
Revised Click-Time URL Protection settings are now easier to access
Stop quishing attacks with QR code protection
WithSecure™ Cloud Protection for Salesforce now includes QR code scanning to effectively combat quishing attacks across Salesforce. Sparked by a real-life attack targeting a Salesforce customer, this feature extends our malicious URL scanning capabilities to include QR codes, addressing the emerging threat where cyber criminals use QR codes to direct end-users to malicious sites. Quishing attacks trick users into scanning QR codes with their mobile devices, leading to potential theft of credentials, or malware infections.
To activate this protection, enable connected app and turn on Advanced Threat Analysis under File Protection settings. We also recommend reviewing your file type coverage under File Protection settings to include all image file types.
Want to learn more about malicious QR codes and quishing attacks on Salesforce? Check out our dedicated article with antiquishing tips.
Block malicious URLs across custom objects and fields – with easy settings
Expanding from standard to custom Salesforce objects, this update addresses a highly requested feature by our users. With Orion 2.5, defining and securing custom objects and fields has never been easier. This release allows you to:
Directly configure URL scanning settings within the UI
Seamlessly integrate robust security measures into your Salesforce custom workflows
Our upgraded file hashing technology not only improves the detection accuracy but also maintains system performance. The new hashing sets more complex defenses for files against crafty attackers.
Click-Time URL Protection configuration change
Previously included in WithSecure™ Cloud Protection, Click-Time URL Protection now features simplified settings adjustments. Now located under URL Protection -> General -> Configure Objects, this update ensures real-time protection by scanning URLs at the moment of access, safeguarding against any post-upload modifications by attackers.
We greatly bolstered URL scanning capabilities bolstered in the Orion 2.4 release earlier in 2024. If you missed it, here’s the recap:
Block shortened URL threats: Automatically identify and block malicious shortened URLs on Salesforce, ensuring comprehensive verification of every link’s true destination.
Detect malicious URLs in files: Enhanced scanning capabilities now detect and block harmful URLs hidden within Salesforce file uploads, such as Microsoft Office documents and PDFs, increasing your defense against indirect cyber attacks.
Admin tip #1: Enable URL Protection across all text and URL fields to protect against malicious links.
Admin tip #2: Protect all Salesforce objects and fields – both standard and custom – to safeguard against exploits.
Admin tip #3: After setting up URL protection for custom objects, ensure file scanning is also activated for them.
Admin tip #4: Activate automatic updates for the latest security features and stable protection.
Admin tip #5: Utilize the connected app feature of WithSecure Cloud Protection for Salesforce to access advanced security capabilities like advanced threat analysis, URL scanning inside files and QR code scanning.
Explore the latest developments in the global ransomware scene with our Ransomware Landscape H1 2024 report. This detailed analysis provides insights into active ransomware groups, their methodologies, how they are organized, and their impact across industries.
We’ve also compiled key cloud, Salesforce and other relevant threat landscape news into a snapshot post. With this, you’ll get your knowledge up-to-date in a matter of minutes.
Our tradition of naming Cloud Protection for Salesforce product releases after famous roller coasters continues with Orion. It illustrates the thrilling progress in our work – and in the lives of cyber defenders like yourself. The name Orion was chosen for the 2024 release series not just for its cool factor, but as a symbol of the limitless heights and broad scope we aim for with our Salesforce security solution. It represents a new chapter in refining and enhancing our product to support your Salesforce security needs, promising a steady ascent and an exciting journey.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Meet your compliance requirements and control your Salesforce data location
Data residency is a critical consideration for organizations using Salesforce to ensure the security and compliance of their sensitive customer data. With Salesforce’s global reach, understanding where your Salesforce data is physically stored and the legal implications is key to mitigating both cyber and compliance risks.
What is the difference between data residency, data localization, and data sovereignty?
While these three terms are related, they have distinct meanings within the realm of data management and compliance. Data residency refers to the physical or geographical location where an organization’s data is stored, whether on servers, databases, or in data centers. Data localization is the requirement that certain data must be stored and processed within the country or region where it was collected, without being transferred outside of those borders. Data sovereignty is the principle that data is subject to the laws and regulations of the country or jurisdiction where it resides, regardless of the nationality of the person or entity that owns the data. Understanding the nuances between these concepts is crucial for organizations to ensure they are complying with relevant data privacy and security regulations.
What is Salesforce data residency?
Data residency refers to the physical location where an organization’s Salesforce data is stored, whether on servers, databases or in data centers. The country or region where Salesforce data resides determines the privacy laws, data sovereignty regulations and security requirements that apply to that data. For Salesforce users, data residency is especially important because Salesforce has data centers located around the world. Depending on your Salesforce org’s settings, your Salesforce data could be stored in the U.S., Europe, Asia or elsewhere.
Depending on the country’s legislation and regulations, these themes are often included:
Storage location: Many countries have laws that require certain types of data to be stored within their own borders.
Transfer restrictions: Some jurisdictions have requirements surrounding data transfer across borders. For instance, the EU’s General Data Protection Regulation (GDPR) stipulates that data can only be transferred out of the EU to countries that provide adequate levels of data protection.
Local access: Regulations may require that the local government or specific regulatory bodies have access to the data.
Privacy protections: Depending on the country, organizations may be required to provide specific privacy protections for the data they store, such as practices around data encryption, pseudonymization, or anonymization.
Data breach notifications: Some countries require that organizations notify the relevant authorities and/or the affected individuals in the event of a data breach.
Record keeping: Organizations may be required to keep records of all data processing activities.
Consent: In some cases, organizations might need to obtain explicit consent from the data subjects before storing or processing their data.
For example, in Australia and Singapore, there has been high demand from public sector organizations and private companies operating in regulated industries to have control over their Salesforce security data’s residence in the home country.
Why Salesforce data location matters?
There are several key reasons why Salesforce data residency is critical for security:
Legal compliance: Different countries and regions have varying laws around data storage, protection and privacy. Storing Salesforce data in compliance with local data residency regulations is mandatory to avoid legal issues and penalties.
Data privacy protection: Data residency rules exist to safeguard the privacy of individuals whose data is collected. Adhering to Salesforce data residency ensures customer data is handled securely and with proper privacy controls.
Reduced security risks: Storing Salesforce data locally within a country’s borders minimizes the risks associated with cross-border data transfers, such as unauthorized access, data breaches and data loss. Local storage is typically more secure.
Customer trust: Customers will have more confidence in a Salesforce-powered business that respects data privacy laws and stores data in accordance with Salesforce data residency requirements. This builds trust.
Business continuity: In the event of a disaster, having Salesforce data stored locally can enable faster recovery, as data centers in the affected region can focus on restoring service.
Best practices for managing Salesforce data residency
To ensure your Salesforce data is secure and compliant from a data residency perspective, follow these best practices:
Know where your Salesforce data is stored: Determine the specific data centers and regions where your Salesforce org’s data is physically stored. This information should be available from Salesforce or your Salesforce consulting partner.
Understand relevant data residency laws: Research the data residency, data sovereignty and data privacy laws that apply to your Salesforce data based on where it is stored. Consult with legal counsel to ensure compliance.
Implement proper data encryption: Use strong encryption to protect Salesforce data both at rest and in transit, especially if data is being transferred across borders. Leverage Salesforce’s built-in encryption capabilities, and make sure that third-party applications align.
Restrict Salesforce data access: Limit access to Salesforce data to only those employees and systems that require it. Use Salesforce’s robust user permissions and sharing settings to control data access.
Monitor Salesforce data activity: Continuously monitor Salesforce data usage, access and sharing activity to detect any suspicious behavior that could indicate a data breach or compliance issue. Leverage Salesforce’s security monitoring tools.
By following these best practices and partnering with a Salesforce consulting firm that prioritizes data residency and security, you can keep your Salesforce data safe and compliant no matter where it is stored around the world.
How WithSecure™ Cloud Protection for Salesforce helps you meet your compliance requirements
WithSecure™ Cloud Protection for Salesforce is hosted on AWS data centers. The solution runs on data centers in Europe (Ireland), USA, Australia and Singapore – and more countries will soon follow, including Japan and Canada.
You can fully control your data’s location, in other words, in which data center your data is processed. Data is strictly encrypted both during transit and rest. Data handling and security practices follow the strictest industry standards. Also, you don’t have to worry about any hidden hosting costs or efforts.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Why understanding Salesforce security is important
Salesforce a powerhouse in CRM solutions, delivering a wide range of digital experiences to its users. Its widespread adoption across industries – and among critical enterprises and governmental agencies – makes it a huge data repository. The goldmine of sensitive data unfortunately attracts money motivated cybercriminals, who today are getting into corporate networks through any channel they can. In other words, they are now only looking at conventional channels like email. Valuable data, operational criticality and the interest of attackers puts pressure on the defenders to gear up on Salesforce security measures.
Shared responsibility model sets the rules in Salesforce data security
Salesforce’s security framework is based on a shared responsibility model. This model defines the security obligations between Salesforce and its users. While Salesforce provides a highly secure cloud infrastructure with plenty of security controls, users are responsible for configuring these settings and mitigating external risks to protect their data effectively. This collaborative approach ensures that every layer of potential vulnerability can be addressed by the correct roles.
Multiple levels of Salesforce data security measures
Understanding Salesforce’s comprehensive security setup is crucial for effective data protection. Salesforce structures its security model into four levels to streamline administration and ensure thorough protection:
Organizational level security: This primary security level involves basic access controls like setting trusted IP ranges and defining login hours to prevent unauthorized access.
Object level security: At this level, administrators control access to various data sets or “objects” within Salesforce, which can be likened to tables in a database. Modern best practices recommend using Permission Sets for flexible and scalable access management.
Field level security: This allows admins to control access to specific fields within an object, ensuring users see only the data essential to their role.
Record level security: This level controls access to individual records within an object. Salesforce offers several methods to fine-tune record visibility and sharing settings, enhancing collaboration without compromising security.
Organizational level security
At the foundational level, organizational security involves securing access to your Salesforce system. This includes setting up restrictions such as trusted IP ranges from which users can log in—accessible via the Login IP Ranges section of a user’s profile. Additionally, Login Hours can be specified to limit user access to predefined times.
To bolster organizational security, Salesforce administrators should enforce strong password policies and consider integrating advanced security solutions like Salesforce Shield and WithSecure’s Cloud Protection for Salesforce.
Object level security
In Salesforce, an object is akin to a database table and houses data sets relevant to specific business functions. Historically, object access was controlled directly through user profiles. However, Salesforce now advises utilizing Permission Sets and Permission Set Groups for this purpose. This approach allows streamlined access management aligned with users’ roles.
Field level security
Field level security pertains to the access controls at the individual field within an object, similar to columns in a spreadsheet. This setup ensures that access to sensitive fields can be tightly controlled and varied between different users, depending on their job requirements. Administrators can configure these settings directly in user profiles or more dynamically through Permission Sets.
Record level security
Record level deals with access to individual entries within an object. Salesforce offers several mechanisms to manage this, such as:
Organization-wide defaults: Set baseline access levels for all records within the organization.
Role hierarchy: Enables users higher in the hierarchy to access records below them.
Sharing rules and manual sharing: Facilitate lateral sharing within teams or direct sharing for specific records, ensuring collaboration without compromising security.
External access and advanced cyber security measures on Salesforce
While internal user permissions and sharing rules are critical, Salesforce administrators must also safeguard against external threats. These threats can arise from interactions with Salesforce solutions like Salesforce Experience Cloud, or through third-party applications connected via APIs. Salesforce allows the enforcement of permissions for APIs and apps similarly to internal user settings. It’s crucial to configure these permissions with the strictest settings possible to minimize vulnerabilities and prevent unauthorized access.
Keep your data safe with Salesforce Shield and WithSecure™ Cloud Protection for Salesforce
Even the most robust endpoint security strategies cannot guarantee complete immunity from sophisticated cyber threats. Criminals targeting your organization might mimic legitimate access – also on Salesforce. Salesforce Shield plays a pivotal role here by enhancing file encryption, adding a critical layer of security for data uploaded to the cloud, making it more resistant to unauthorized exploitation.
WithSecure™ Cloud Protection for Salesforce takes security against external threats a step further by providing real-time defense against viruses, malware, ransomware, and phishing threats. It scans all content from files to URLs as it is uploaded to Salesforce, both at the time of upload and whenever a user interacts with the content. This proactive approach not only detects and blocks known threats such as commodity malware, but also uses advanced behavioral analysis to thwart zero-day attacks and emerging threats.
Last piece of advice: secure every access point
For enterprises utilizing Salesforce, protecting every point of access and every point of data interaction – both internal and external – is critical. WithSecure™ Cloud Protection for Salesforce complements Salesforce’s built-in capabilities and Salesforce Shield by offering an additional layer of real-time, proactive protection, ensuring your Salesforce environment remains secure against advanced cyber threats. This dual approach fortifies your cloud data against both conventional risks and sophisticated cyber attacks, whether they are coming through a customer support email, web form or your community portal. Your end-users are secured whether they use a laptop or a mobile device.
For more information on optimizing your Salesforce security against modern cyber threats, get our free security tips ebook or conduct a free risk assessment (we promise it only takes a few minutes and requires no access to your Salesforce orgs).
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.