Cyber attackers use phishing in the majority of data breaches – IBM reports a staggering 41% of all attacks attributed to it, while Deloitte notes that phishing accounts for two in every five attacks. The Anti-Phishing Working Group (APWG) underscores that 77% of phishing domains are specifically registered for malicious purposes. These domains frequently serve as launchpads for extensive phishing and malware attacks, making their scrutiny a critical security practice.
Similarly, Interisle Consulting Group observed that a significant increase in phishing is linked to the use of domain names, with an 85% jump in domains used for cyberattacks.
Research from Palo Alto reinforces these concerns, and indicates that at one point, over 70% of newly registered domains (NRDs) were “malicious,” “suspicious,” or “not safe for work.” This statistic underscores the consistent risk posed by newly established domains over the years.
NRDs are employed not only for phishing but also as vectors for malware distribution and command-and-control operations. Cybercriminals can rapidly register and activate new domains. In response, they can rapidly deploy and evolve their attacks, and bypass traditional detection methods. This creates urgent challenges for cybersecurity defenses in environments like Salesforce.
Why combating phishing on Salesforce is crucial
Phishing attacks pose a significant threat to organizations using Salesforce, exploiting the platform’s extensive functionalities to carry out sophisticated cyberattacks. These threats primarily target human error, using deceptive emails or malicious URLs to manipulate users into divulging confidential information such as login credentials, thereby compromising entire systems.
Data integrity and security: Salesforce serves as a repository for vast amounts of sensitive corporate and customer data. Phishing attacks gain unauthorized access to data, causing data breaches that severely damage a company’s reputation and lead to substantial financial losses.
User trust and compliance: Customers trust organizations to safeguard their personal information. A successful phishing attack can erode this trust, damage customer relationships, and potentially violate compliance regulations that protect user data.
Operational continuity: Phishing attacks disrupt the normal business operations of Salesforce, which leads to downtime and decreased productivity.
Proactive NRD blocking is the simplest and the most effective strategy
Managing NRD threats effectively requires a combination of technology and strategy tailored to an organization’s specific risk tolerance. Although user awareness is important, no Salesforce user should be expected to act as a phishing detective. Enterprises with low risk tolerance should proactively block NRDs from interacting with their Salesforce systems.. By utilizing real-time intelligence, WithSecure Cloud Protection for Salesforce empowers organizations to selectively block NRDs. The solution analyzes the domain’s age. Customers can configure settings to block domains registered within recent time frames, including 7, 14, 30, 60, or 90 days.
Proactive NRD blocking is the simplest and the most effective strategy
Our incident response team has identified attacks on Salesforce environments where NRDs were a factor. These observations have reinforced the need for robust NRD management and influenced the development of product features that meet the stringent compliance requirements of many enterprise customers. These customers often mandate that newly created domains should not gain access to their Salesforce platforms.
“Many enterprises, particularly financial institutions, have stringent requirements. For instance, they mandate that domains less than 32 days old are not allowed on their network or platform ,” Anssi Korpilaakso, Director of Business Operations at WithSecure Cloud Protection for Salesforce, concludes.
The problem calls for systemic intervention
To curb the misuse of newly registered domains (NRDs) in cyberattacks more effectively, authorities need to take broader regulatory actions instead of merely placing the responsibility for risk management on the victims.
Regulatory oversight: Authorities could impose stricter controls on service providers that disproportionately enable cybercriminals, possibly penalizing those that consistently supply the means for cyberattacks.
Identity verification: Introducing stringent identity verification or certification requirements for bulk domain registration can prevent misuse by making it harder for cybercriminals to anonymously acquire domains.
Limiting resources: Restricting the number of accounts and subdomains one can register with free or inexpensive web hosting services could curtail the ability of attackers to proliferate harmful domains.
Automated monitoring: Deploying automated systems to monitor and screen suspicious registration and usage patterns can preemptively catch potentially malicious activities.
WithSecure™ Cloud Protection for Salesforce enhances defenses against URL-based threats, including the risks associated with newly registered domains (NRDs). This constantly updated suite of URL scanning features actively addresses the hidden dangers of malicious URLs within Salesforce.
Stop phishing and url-based threats instantly: URL Protection feature actively guards against phishing and malicious websites. It scans URLs upon upload and when clicked. This real-time scrutiny is crucial for intercepting threats before they impact your system.
Dynamic protection against evolving threats: The nature of URL threats is volatile. A link that was once deemed safe can turn malicious later. Click-Time URL Protection feature dynamically evaluates URLs at the point of access and adapts to the mutating threats.
Block newly registered domains: You can block access to domains based on their registration age. Settings are adjustable from 7 to 90 days old domains. This effectively reduces the risk of falling victim to attacks that are launched from newly established malicious sites.
Comprehensive detection of malicious URLs: The solutions detects and blocks harmful URLs that are within files and behind QR codes. This extends protection beyond visible links in text fields. This comprehensive approach helps thwart hidden malware and phishing attempts encoded within document uploads.
Block shortened URL threats: Shortened URLs, often used for their convenience, can mask dangerous destinations. Our system ensures every link is verified, enhancing security against camouflaged threats that could otherwise bypass detection.
Tailored security for high compliance sectors: We have designed the solution with the needs of highly regulated industries in mind. Robust protection aligns with the stringent security requirements of finance and public sectors.
Concerned about malicious URLs entering your Salesforce environment? Contact our team for a free consultation.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
In today’s interconnected enterprise and cloud ecosystem, Salesforce is a powerful, secure platform that offers significant benefits for managing strong, lasting customer relationships. However, Salesforce’s success makes it a target for cybercriminal activity. Now used at over 150,000 enterprises worldwide, Salesforce and your Salesforce customer-related data are prominent marks for bad actors and cybercriminals. Let’s discuss how WithSecure Cloud Protection for Salesforce complements Salesforce for organizations of any size.
Shared Responsibility is the first step towards securing Salesforce
Salesforce follows the Shared Responsibility Model, which emphasizes that security is a joint effort between Salesforce and its customers. Other cloud providers, including Amazon Web Services, Google Cloud, and Microsoft Azure, also utilize this model. Simply stated, the Shared Responsibility Model means the cloud provider is responsible for securing their cloud services and the underlying infrastructure. Customers are responsible for protecting their data, even though it is stored in the cloud environment.
Accordingly, customers must understand what security measures Salesforce does not provide to address these gaps. Recognizing the security limitations of what Salesforce offers is an essential first step in developing a comprehensive security strategy for Salesforce.
Scanning for malware, phishing, spam and ransomware is left to the customer
Salesforce is dedicated to establishing standards in SaaS (software-as-a-service) and being a reliable partner in customer security. To enhance the security of a Salesforce instance, Salesforce offers various recommendations for customers to implement. One of the key suggestions is to use security solutions like WithSecure Cloud Protection for Salesforce, which provides spam filtering and malware protection.
Haven’t we solved the malware problem?
Malware, viruses, spam, trojans, etc., continue to wreak havoc on enterprises. According to the recent IBM Cost of a Data Breach Report 2024, the average cost of a malware attack in 2024 is around $5.24 million globally, up 10 percent from 2023. Specific organizational losses have been much higher when factoring in the additional ransomware costs.
There are many effective server, desktop and mobile scanning solutions to thwart malware. However, the rise of cloud-provided applications has further complicated malware detection because, in the case of Salesforce, documents, files, etc., often legitimately bypass enterprise scanning systems.
When a user uploads a file or attachment to Salesforce, no native file scanning is applied. These documents almost always, by their nature, bypass the normal enterprise-level scanning mechanisms. Further, the lack of automatic scanning allows an external user to attach a malicious file, putting Salesforce data at risk.
Today, enterprises need a broad defense and in-depth approach to thwart these threats and complement Salesforce security.
How WithSecure Cloud Protection for Salesforce works
The WithSecure Cloud Protection for Salesforce solution is the simplest way to stop file, URL and QR code-based cyber threats like malware, ransomware and phishing attacks on your Salesforce cloud. Here is how it works:
1. A user, unwittingly or knowingly, uploads malicious files, attachments, URLs or QR codes to a Salesforce platform. It might be from web forms, partner portals, emails, or third-party applications.
2. WithSecure Cloud Protection for Salesforce intercepts and scans all content entering and leaving Salesforce in real-time for threats using a multi-stage threat analysis process. Content can also be scanned retrospectively on-demand.
3. All data stays in the Salesforce cloud. Only suspicious files that cannot be detected as threats based on global threat intelligence checks are evaluated for a deeper behavioral analysis. The files are sent to the WithSecureSecurity Cloud, where they are analyzed in an isolated sandboxing environment to detect even the stealthiest and most sophisticated cyber threats.
4. When a threat is detected, administrators are automatically alerted. The end-user is advised on what to do next, and further use of the content is prevented.
5. Advanced security analytics with full audit trails speed up the incident response. Relevant data, alerts, and workflows can be easily integrated into SIEM or other centralized security systems.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is designed to reduce the risk of advanced cyber threats targeting Salesforce. It offers:
Real-time protection and immediate visibility into your entire environment
Seamless integration with your customizations and workflows
Full support for the infrastructure security controls that Salesforce provides
This solution meets the stringent compliance requirements of modern enterprises and critical public sector organizations, making it an excellent choice for enhancing your Salesforce security.
Developed in collaboration with Salesforce, WithSecure Cloud Protection for Salesforce is used and recommended by Salesforce.
To learn more about WithSecure Cloud Protection for Salesforce:
Learn more about WithSecure Cloud Protection for Salesforce in our newest video, 60 Seconds with WithSecure.
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance.
As the risk of cyber-attacks increases, understanding how to protect your Salesforce environment from malware becomes a priority. Salesforce’s approach to securing Salesforce is based on the Shared Responsibility Model (SRM). This model can be somewhat intricate to understand. At its most basic level, Salesforce is responsible for securing its infrastructure and ecosystem. In addition, Salesforce offers several specialized, value-added security solutions, such as Salesforce Shield (for platform encryption, event monitoring, and audit reporting), Salesforce Data Mask (enables admins and developers to mask sensitive data in sandboxes such as personally identifiable information (PII) or sales revenue), and the Salesforce Privacy Center (tools to help manage GDPR and PII governance).
However, under the SRM, Salesforce customers – administrators, architects, security teams, and users – must understand their responsibilities. Customers, for example, are responsible for protecting their data, using the right access controls and permission sets, and securing the objects within Salesforce.
Most importantly, in the area of data protection, Salesforce does not offer capabilities for detecting and preventing malware, ransomware or phishing links. Salesforce encourages customers to form a relationship with vendors, such as WithSecure Cloud Protection for Salesforce, to avoid malware and phishing attacks from occurring within their Salesforce.
How does malicious data get into Salesforce?
Salesforce has evolved extensively since its beginning as a sales automation platform in the 1990s. Today, it is used by over 150,000 organizations globally to manage sales and service organizations and to maintain customer relationship data. Users constantly import, share, store and export data files, attachments, URLs and QR codes associated with customers, partners, community members, and internal employees. Typical use cases for importing and exporting files include email-to-case, web-to-case, and third-party custom apps that allow users to upload documents. Each file and attachment uploaded to Salesforce opens the door to malware exposure, which can quickly propagate across the instance.
Malicious files, URLs and QR codes pose risks to Salesforce customers
The presence of malicious files is on the rise within Salesforce. These files contain or are conduits for ransomware, phishing exploits, viruses, worms, keyloggers, trojans, spyware, adware etc. Between Q2 2023 and Q2 2024, there has been a roughly 400% increase in malicious files found within Salesforce.
URLs and QR codes are increasingly the trigger point for malicious activity. To protect Salesforce users, WithSecure Cloud Protection for Salesforce scans hundreds of thousands of URLs each month. On average, 1.5% of URLs uploaded to Salesforce are malicious. And, that percentage will likely grow in the future.
Case Study: An unprotected Salesforce instance leads to a Ransomware attack
An enterprise organization presented WithSecure Cloud Protection for Salesforce with a particular scenario they had experienced. In this scenario, an attacker leveraged Salesforce to infect the company’s network.
The attacker, posing as a customer, sent an email to the company to steal vital data. The email contained a malicious attachment. The enterprise user who received the email opened the attachment. That triggered a few exploitations, leading to malware that infected the user’s machine and installed a keylogger on the infected device. The attacker gained domain administration access and launched a command-and-control power shuttle script, which deployed ransomware at hundreds of workstations within the company’s local area network.
Had this enterprise been using WithSecure Cloud Protection for Salesforce, the preceding scenario would have been much different. WithSecure’s goal is to stop all attacks within the Salesforce cloud.
WithSecure Cloud Protection for Salesforce scans files and attachments. The following screenshot shows the File Protection Settings screen.
If malicious content is detected, WithSecure will quarantine the suspicious file attachments in a safe sandbox environment, as shown in the following screenshot.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious, suspicious and disallowed content from entering your Salesforce environment via files, web links, QR codes and email messages.
WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce meets the strict compliance requirements of modern enterprises and critical public sector organizations. It is an ideal choice for enhancing your Salesforce security.
WithSecure Cloud Protection for Salesforce was designed in collaboration with Salesforce.
The Digital Operational Resilience Act (DORA) is a European Union regulation crafted to boost the operational resilience of financial institutions. It ensures they can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks. It mandates rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). The regulation applies as of 17 January 2025.
What’s the purpose of DORA?
DORA aims to ensure EU financial institutions can effectively manage and mitigate ICT risks, diminish the impact of cyber threats, and sustain business continuity during disruptions.
Who does DORA apply to?
DORA applies to the majority of financial institutions operating in the EU. It covers a broad spectrum of financial entities, such as banks, investment firms, payment service providers, insurance companies, and ICT third-party providers like cloud services that support financial institutions.
DORA’s ICT risk management framework mandates that a firm’s management body bears ultimate responsibility for managing ICT risks, setting and approving the digital operational resilience strategy, and approving policies related to the use of ICT Third Party Providers (TPPs), among other duties.
How does DORA change the current regulatory compliance?
There have been previous guidelines similar to DORA such as 2019 EBA Guidelines on ICT Security and Risk Management and the 2020 EIOPA Guidelines on ICT Security and Governance. However, as DORA is primary legislation, the level of supervisory scrutiny that firms are subject to is now increasing significantly.
Key requirements for financial entities:
ICT risk management: Financial entities must develop robust governance and control frameworks to manage ICT risks. This includes risk identification, protection measures, system monitoring, and incident recovery.
Incident reporting: Entities are required to report significant ICT-related incidents to authorities to enhance oversight and facilitate a coordinated sector response.
Testing and audits: Regular testing, including penetration tests and security audits, is mandatory to identify and address vulnerabilities.
Third-party risk management: Financial institutions must ensure that third-party ICT providers adhere to equivalent standards, including conducting thorough due diligence for outsourcing critical functions.
DORA compliance and Salesforce security
DORA mandates comprehensive oversight across critical business areas, focusing on firm management’s accountability for ICT risks. It includes crafting a digital operational resilience strategy and managing ICT Third Party Providers (TPPs). Breaches could lead to penalties enforced by competent authorities.
Salesforce is a cloud-based platform that is critical to many financial organizations and their operations. The financial entity will need to ensure that their use of Salesforce complies with DORA’s requirements regarding ICT risk management, third-party oversight, incident reporting, and testing.
As a leading CRM provider, Salesforce has already taken steps to ensure that the platform’s data governance aligns with DORA – along with other data protection regulations. Collaboration with partners like WithSecure™ is part of Salesforce’s commitment to trust and security according to Natalie Pope, Lead Solutions Engineer at Salesforce: “DORA is an important step in elevating our offerings to financial services customers, ensuring data and operational resilience are at the forefront their business goals and company ethos. Our collaboration with partners like WithSecure™ demonstrate Salesforce’s commitment to our number one value of trust, allowing us to offer robust and compliant solutions as part of a trusted digital infrastructure.”
Key actions to secure Salesforce and comply with DORA
New DORA regulation impacts all SaaS products, including Salesforce. When it comes to Salesforce security and risk management, financial institutions should take action in the following areas:
Set up ongoing auditing practices to continually assess security risk related to Salesforce and other services connected to it. Implement proper security measures to remediate any gaps.
Develop and refine incident management strategies to ensure prompt detection, reporting and resolution of issues. Implement security measures directly for Salesforce that support your strategy.
Review and update contracts with ICT providers to meet DORA standards.
In which Salesforce DORA obligations can WithSecure™ Cloud Protection for Salesforce help
WithSecure™ Cloud Protection for Salesforce stops malware and phishing threats on Salesforce in real-time. It helps financial organizations meet their DORA obligations on Salesforce in the following areas:
DORA mandate for incident reporting:“Financial entities shall report major ICT-related incidents to the relevant competent authority”, “Financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.” (Chapter 19, Article 1)
DORA mandate for detection capabilities:“Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.” (Chapter 2, Article 10)
DORA mandate for incident management: “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” (Chapter 17, Article 1)
How WithSecure™ Cloud Protection for Salesforce helps financial organizations meet their DORA obligations
WithSecure™ Cloud Protection for Salesforce helps financial institutions detect anomalies such as malware and phishing threats on Salesforce. It provides real-time monitoring capabilities into cyber threats and incidents across the Salesforce environment. It empowers financial institutions with automated threat remediation capabilities, along with prompt alerts.
WithSecure™ Cloud Protection for Salesforce’s native reporting features support incident reporting to authorities, as mandated by DORA. Reports offer vast details about the threat, who has interacted with it, and when. This not only enables sufficient reporting to authorities, but also speeds up incident management process significantly. Without the reporting tools with full event logs and forensics trails, investigating a malware outbreak is costly and time consuming.
While remediating the immediate threat of malware, solutions like Cloud Security Access Brokers (CASBs) can introduce more risk by adding vulnerable integrations and data flows to the mix. For this reason, we built the natively integrated, minimally vulnerable and simplified AntiVirus and AntiPhishing solution WithSecure™ Cloud Protection for Salesforce. With this simplified and seamless approach, financial institutes can mitigate risk without invertedly adding more in the process. You can deploy the native security layer in minutes and strengthen your compliance instantly.
WithSecure™ Cloud Protection for Salesforce is built with 30+ years of cyber security experience in close collaboration with Salesforce. The solution has achieved ISAE 3000 Type 2 certification (international equivalent to SOC 2 Type 2), and WithSecure™ is ISO 27001 certified, proving the resilience of operations in accordance with DORA’s third-party risk management agenda.
Ensure Salesforce DORA compliance
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes. Comprehensive reporting capabilities help you meet DORA incident reporting requirements.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Phishing is not confined to email but is a pervasive threat across our digital infrastructure. Salesforce, with its extensive cloud applications and public-facing nature, is emerging as a prime target for such cyber threats. Comprehensive phishing defenses should include Salesforce as an attack vector.
Phishing attacks have evolved but so have email defenses
While 41% of cyber attacks use phishing tactics, an alarming 26% of these attacks now exploit public-facing applications (like Salesforce), according to IBM’s report. Furthermore, 16% of phishing attacks misuse valid accounts.
Email, the traditional stronghold against phishing, has long been hardened through anti-malware and anti-phishing tools combined with consistent user education, with many providers offering built-in defenses and organizations adopting phishing simulation training. These measures have significantly heightened user vigilance and reduced the click rates on malicious emails.
How Salesforce becomes the entryway for cyber criminals
Salesforce serves as a central hub for diverse interactions across Sales, Service, and Experience Clouds, presenting multiple avenues for cyber threats. Each user interaction, whether from internal or external sources, could potentially introduce malicious content. Salesforce is vulnerable to the same types of attacks that have plagued email for decades.
Internal users frequently engage in routine activities like uploading documents and sharing URLs. For example, a sales representative might attach a contract embedded with malware in Sales Cloud, or a support agent may inadvertently attach a compromised troubleshooting guide in Service Cloud. Similarly, community managers in Experience Cloud might share links that lead to malicious sites.
The risk also involves unauthenticated users such as customers or potential leads who upload attachments in support cases or via Web-to-Lead forms. These necessary business interactions, if unchecked, provide easy entry points for cybercriminals.
Furthermore, authenticated users on Experience Cloud portals often share significant project files or access collaborative spaces, unintentionally spreading malware. The integration of APIs, which connects Salesforce with external systems like ERP software or tools like Slack, adds another layer of vulnerability. Each data transfer across these connections is a potential breach point.
Salesforce security falls short of email security standards
However, the security measures guarding Salesforce have not evolved at the same pace. There are no built-in anti-virus, anti-phishing, or basic spam filters that are standard in email services. This oversight leaves an obvious hole in cybersecurity strategies.
“Salesforce, often overlooked as an attack vector, presents a significant vulnerability in too many cyber security strategies,” notes Anssi Korpilaakso, Director of Sales and Business Operations at WithSecure™. “Our product backend has registered a steady increase in malware and phishing detections on Salesforce in the recent years.”
Salesforce users typically perceive Salesforce as a trusted tool, and are less likely to anticipate or recognize a phishing attack on the platform compared to email. This sense of trust is exactly what attackers who use psychological phishing schemes exploit.
Email: lessons for multi-layered Salesforce security
As cyber criminals continue to refine their strategies and target systems beyond traditional attack vectors like email, organizations must protect every entry point, including Salesforce. Learning from the widely adopted email security measures and applying these lessons to Salesforce helps fortify your digital infrastructure against dynamic cyber threats.
To tackle phishing effectively, you must adopt a multi-layered defense strategy that goes beyond email and encompasses Salesforce, your business critical platform. Here’s how you can start:
User training: Just as with email, the first line of defense is user awareness. Training users to recognize phishing attempts in Salesforce is crucial, as the platform’s familiar and trusted environment may lower their guard against suspicious activities. Although user education is important, you should not expect your Salesforce users to act as phishing detectives.
Integrate real-time threat protection: Given the lack of built-in anti-phishing and anti-malware features in Salesforce, integrating advanced security solutions that can provide real-time threat protection is essential. Solutions like WithSecure™ Cloud Protection for Salesforce offer tailored security measures that fit seamlessly into Salesforce, enhancing security without disrupting user experience.
What to consider when choosing the solution
When selecting a threat protection solution for Salesforce, you should prioritize efficiency, comprehensive coverage, and advanced detection capabilities that match today’s sophisticated cyber threats. Considerations for calculated decision-making:
Prioritize solutions that add minimal complexity and avoid vulnerable integrations, focusing on native, straightforward security layers.
Choose solutions that protect not only internal users but also mitigate the risk of malware spreading to customers and partners interacting with Salesforce by scanning uploads and downloads across various user types.
Consider the evolving nature of threats, such as documents that contain latent phishing links, which may turn malicious after being uploaded to Salesforce, and after the initial scan at the point of upload. Opt for solutions that provide real-time protection, scanning content like files and URLs during all user interactions, not just at the point of upload.
Ensure the solution offers real-time scanning and advanced behavioral analysis to detect embedded malware in seemingly benign documents, moving beyond traditional signature-based methods.
Select solutions that encompass all Salesforce entry points, including custom objects in addition to standard objects, to ensure comprehensive coverage.
Look for deep detection capabilities that can scan for malicious phishing links not only in text and emails but also within files, detect phishing links hidden behind QR codes, and identify zero-day malware in files as well as known threats.
WithSecure™ Cloud Protection for Salesforce eliminates risk of human error in real-time
Robust security measures equivalent to enterprise-grade email security help you experience the full potential of Salesforce without hidden risks. WithSecure™ delivers an advanced antivirus and antiphishing solution tailored uniquely for Salesforce. Developed in collaboration with Salesforce, WithSecure™ Cloud Protection for Salesforce meets the stringent requirements of highly regulated industries and government entities. You get real-time defenses against malware, ransomware, viruses, and phishing attacks, along with full security visibility for threat hunting and incident response. Multi-layer scanning ensures that every entry and touchpoint – from the Sales Cloud negotiations to Service Cloud interactions and Experience Cloud engagements – is covered.
Native integration ensures rapid deployment and comprehensive security without disrupting your existing Salesforce workflows.
Don’t let human error become your vulnerability in Salesforce security – especially when there are straightforward technologies to mitigate the risk. Whenever you are ready to take the next step, our team is ready to guide you in your Salesforce security.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Parking scams using fraudulent QR codes have been wreaking havoc in popular tourist cities across Europe and North America recently. Have you ever considered that malicious QR codes could infiltrate your Salesforce? Read on to learn what QR code attacks look like, why Salesforce is an attractive target for them, and how you can stop them.
The rise of quishing
It’s not long since Police Service of Northern Ireland (PSNI) Cyber Crime Centre, posted a notice about malicious QR codes in phishing attacks. Quishing, or QR code phishing, involves the deceptive use of QR codes to lure unsuspecting individuals into visiting malicious websites. There they are tricked to reveal personal credentials, or unknowingly download malware. QR codes are used for everything from restaurant menus to ticket validations. At the the same time, cybercriminals have found ample opportunities for exploitation. Distinguishing between legitimate and fraudulent QR codes is difficult for human eyes. Fortunately, there are preventive security technologies – now also for Salesforce.
Examples of quishing attacks in the wild
A typical quishing email might mimic an official communication from a known corporation. It can for example urge the recipient to scan a QR code to handle something urgent, like reset a password or verify an account.
Another method involves embedding a QR code inside a seemingly innocent message related to work processes like payroll or security updates. One of the recent examples targeted a major energy company in the US with a campaign that imitated a Microsoft security notification.
On the other hand, scammers have also found ways to abuse QR codes scams in public spaces. Such example is the recent QR parking scam in popular tourist cities across UK. The scam involves malicious QR codes, often placed on parking meters, that direct users to phishing websites. Unsuspecting victims enter personal information, including payment details, under the guise of paying for parking. As a result, they potentially face double trouble with both financial fraud and a parking ticket.
10,000 victims have already fallen for the said parking scam in a matter of two months. Therat actors have launched similar campaigns across Europe, United states and Canada. These scams often target tourists who are not familiar with the local parking apps, thus easier to deceive.
The quishing attack kill-chain
In the digital world, quishing typically begins with a QR code sent via email or text. The recipient then scans the code with a mobile device. The victim is then redirected to a harmful site.
The phishing site typically mimics a legitimate business resource, login page, or document portal. The page then prompts the employee to enter their credentials or download a file.
By entering their credentials, employees inadvertently provide attackers with access to their corporate accounts. Attackers can use the credentials to harvest sensitive information or launch an attack within the organization.
The process capitalizes on the established trust in QR codes. QR codes are handy to roll out covert operations. Quishing attacks are often harder to detect than traditional phishing attacks, or ones with the malicious link plainly imbedded in the message text. As these codes simply appear as nondescript, benign images, they bypass usual text-based URL scans implemented by most email and collaboration security systems.
QR code phishing tactics:
Integration in familiar platforms: Quishing often uses popular platforms to reach a broad audience, and to exploit trusted services and brand names to increase the success rate of attacks.
Sophistication in execution: By embedding malicous QR codes within messages, attackers can bypass conventional security measures which might not scan URLs embedded in images.
The psychological play: The decision to scan a QR code often happens impulsively, thanks to the established norm of their use in safe contexts. This impulsivity is what quishers count on, reducing the victim’s likelihood of pausing to consider the potential dangers.
What makes QR code phishing especially tricky on Salesforce
All in all, malicious QR codes pose a significant threat to enterprises, and when delivered through platforms like Salesforce, they can be particularly effective and damaging. Here’s why Salesforce is a lucrative vector for such attacks, and why you should secure your platform without delay:
High trust environment
Users view Salesforce as a trusted platform for daily tasks in sales management, and customer support. Employees are less vigilant about scrutinizing communications received through this platform, assuming a baseline level of security and trust. This trust can make QR codes sent through Salesforce particularly effective as employees may be quicker to scan them without suspicion. The scam itself could even leverage Salesforce’s brand identity. QR codes also employ common and seemingly harmless image types, decreasing suspicions.
Widespread use in organizations
Especially large enterprises use Salefsorce widely, which provides a broad attack surface. Malicious QR codes distributed through Salesforce can potentially reach a large number of users quickly, making it the attackers dream.
Mobile device engagement
Salesforce is frequently accessed via mobile devices, which aligns well with the nature of QR code scanning. Mobile devices are often less secure than desktops, with users typically having weaker security controls and being more prone to overlook security prompts when they are on the move. If bring-your-own-device (BYOD) is allowed, the mobile device may be a personal unmanaged device, with even weaker security measures in place.
No antiphishing blocking the way
While Salesforce offers robust security features, there are no antiphishing capabilities by default. There likely is no layer of protection in the Salesforce environment to detect or prevent the distribution of malicious QR codes, opening a pathway for the attackers.
You need more than awareness to prevent Salesforce QR code quishing
While educating users about the potential threats of randomly scanning QR codes is without a doubt important, true prevention requires a multifaceted approach:
Advanced threat protection: You should implement antiphishing security solutions that can recognize and examine QR codes within Salesforce uploads, analyzing the linked URLs for malicious content before they reach end users.
Regular security audits: Incorporating QR code-based phishing into routine security audits and risk assessments helps identify and remediate security gaps. Make sure to ensure that Salesforce is covered thoroughly in security audits.
Limit access privileges: Although Salesforce has enforced multi-factor authentication for MFA for internal users, it’s wise to limit access rights to what a user’s role requires, and follow the least privilege approach.
Update software and configurations: Ensure all integrations are updated with the latest security patches, and verify that your antiphishing scanning solution is properly configured to detect malicious QR codes.
Limit use of BYOD: Some of the biggest vulnerabilities lie when employees use personal devices outside corporate security measures to access phishing sites that harvest account credentials.
Educate Salesforce users: Continuously educate users about the risks associated with QR codes, emphasizing the need for vigilance even when using trusted platforms like Salesforce.
Block malicious QR codes on Salesforce automatically
You need a blend of vigilance and advanced security solutions to prevent covert phishing tactics like quishing. Luckily you can protect your data and Salesforce users from these hidden scams behind simple scans. WithSecure™ Cloud Protection for Salesforce scans malicious URLs in Salesforce text fields, behind QR codes and within uploaded documents. Our AntiQuishing feature was built as a response to a real-life phishing attack that our enterprise customer faced, where Salesforce was the target of malicious QR codes.
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
This time our threat landscape focus is on ransomware and its implications for cloud services, specifically Salesforce. With attackers increasingly targeting cloud services and public-facing apps, and a 366% increase in malicious file detections on Salesforce in Q2 2024 compared to Q2 2023, ransomware is not a threat to be taken lightly in any Salesforce security strategy.
Cyber threat landscape shifts toward cloud and SaaS exploitation
Cyber threat landscape is seeing an increased focus on the cloud. Attackers have recently leveraged legitimate file transfer and cloud services to facilitate their operations more and more. These services offer a low-key and cost-effective infrastructure which tends not to trigger security alerts as some more traditional methods might.
Symantec’s Threat Hunter Team has recently identified three new espionage operations utilizing cloud services and has uncovered additional malicious tools in development:
GoGra (Trojan.Gogra): Targets a South Asian media organization using Microsoft’s Graph API for C&C communications via email, encrypting messages with AES-256. Developed in Go, active since November 2023.
Firefly Tool: Used by the Firefly group to exfiltrate data from a Southeast Asian military organization. It searches for and uploads .jpg files (actually encrypted RARs) from System32, using Google Drive.
Trojan.Grager: Targets entities in Taiwan, Hong Kong, and Vietnam, using Microsoft’s Graph API via OneDrive for C&C. Distributed through a Trojanized 7-Zip installer, linked to the UNC5330 group.
MoonTag: A developing backdoor associated with a Chinese-speaking actor, noted for its use of the Graph API and discussed in a Google Group.
Salesforce and SaaS applications are targets of UNC3944 threat group
Salesforce and SaaS are becoming more prevalent in the threat landscape. Google Threat Intelligence has observed the activities of UNC3944, a financially motivated threat group that has been active since at least May 2022, and has recently targeted SaaS applications. Initially focused on credential harvesting and SIM swapping, UNC3944 has since shifted to primarily conducting data theft extortion, expanding their target industries and utilizing fearmongering tactics for access. They’ve adapted their methods to include theft from SaaS applications to attacker-owned cloud storage and have employed various advanced techniques to facilitate their attacks.
UNC3944 accessed Salesforce among other SaaS applications using stolen credentials facilitated by single sign-on systems. They conducted reconnaissance within these platforms, likely targeting data for exfiltration, and using third-party cloud synchronization tools like Airbyte and Fivetran to transfer data to external cloud storage.
Key Tactics, Techniques, and Procedures (TTPs) of UNC3944:
Social engineering: They have successfully manipulated corporate help desks using victims’ personal information to gain access to privileged accounts and bypass multi-factor authentication (MFA).
Abuse of SaaS permissions: UNC3944 exploited permissions in applications like Okta to broaden their access within targets’ systems, encompassing both on-premises infrastructure and cloud-based applications.
Virtual machine compromise: The group has created new virtual machines using administrative privileges obtained through SSO applications, using them for subsequent malicious activities and to bypass traditional security controls.
The use of cloud services by attackers is becoming a preferred method for maintaining stealth and managing cost-effective operations. The attackers are learning from each other, adopting successful techniques across various espionage and cybercriminal groups. Extensive coverage of cloud and SaaS environments in security strategies has never been more critical.
Disney moves away from Slack after a data breach of 1 TB – likely caused by a human error
In a major data breach, Disney experienced a significant compromise of corporate data, possibly due to vulnerabilities on an employee’s personal gaming computer. This breach led to the downloading of over 1TB of data through Slack, which resulted in the suspension of the platform for internal communications.
Our team doesn’t have the forensics data of the case, but some experts claim that the breach was not a direct result of flaws in Disney’s or Slack’s systems. Instead, it allegedly occurred because an employee inadvertently installed a malware-infected game modification. This malware, an Information Stealer, captured credentials and accessed Slack, where it exploited the employee’s compromised computer. The lack of Multi-Factor Authentication (MFA) on the password vault allowed attackers to access vast amounts of sensitive data easily.
Some experts suspect that the attackers were helped by an insider, and others that the breach was a result of a general lack of defensive mechanisms at Disney’s end.
A teenager leveraged Slack and stole details about unreleased GTA 6 from the gaming company Rockstar in 2022. The attacker was sentenced to life.
In 2023, another threat actor exploited access to Slack channels to initiate a malware attack on MGM Resorts, a major global casino and resort.
Almost half of ServiceNow KB instances leak sensitive data
A study by AppOmni revealed that over the past year nearly 45% of ServiceNow Knowledge Base (KB) instances were leaking sensitive data, including personal identifiers, internal system details, and live system credentials. The culprit of these breaches were outdated or misconfigured access controls. This is possibly due to widespread misunderstanding of KB access controls or replicating misconfigurations across instances.
Despite ServiceNow’s 2023 security updates aimed at restricting unauthenticated data access, many of these updates were ineffective for KBs, which often contain highly sensitive internal data. The company has responded by collaborating with customers so that KB access control misconfigurations are fixed.
The disruption has led to a sharp decrease in the number of victims, with reported cases falling to single digits. Despite these setbacks, there have been notable attempts to revamp their operations. For example. they have made experimental changes to their data leak sites (DLS) and updates to their DDoS protections. These maneuvers suggest a strategic recalibration aimed at evading detection and sustaining their criminal activities.
Despite significant law enforcement interventions, the Lockbit group’s ability to adapt and attempt to rebuild its infrastructure is indicative of the resilience and persistence of modern ransomware operations. These groups are quick to learn from interventions, often emerging more sophisticated and harder to combat.
Ransomware-as-a-Service is the business model of cyber crime in 2024
The disruption on major ransomware groups has led to a reshuffling of ransomware affiliates, gravitating towards established Ransomware-as-a-Service (RaaS) networks. RaaS is a subscription-based model that enables affiliates to use pre-developed ransomware tools to execute cyberattacks. Similar to software-as-a-service (SaaS) offerings, RaaS providers offer their malicious software on a rental or commission basis, providing updates and support.
All in all, the professionalization of ransomware operations through RaaS models presents new challenges for cybersecurity defenses. These models facilitate a lower barrier to entry for inexperienced cybercriminals and enable rapid scaling of operations. The attraction of RaaS platforms has flooded in new ransomware variants, correspondingly calling for layered defense strategies.
New threats on the block: new groups form as old dismantle
Our research team has also witnessed the rise of new players such as Cicada3301, SenSayQ, and WikiLeaksV2. Each group has demonstrated distinct patterns of targeting and victimology, such as targeting financial software companies and leaking sensitive health sector data. With this in mind, these emerging groups underscore the dynamic nature of the ransomware ecosystem. They continually evolve with new tactics and targets.
The group dynamics are in a constant flux. For example, from the total number of 67 operational ransomware groups our research team has tracked in 2023, 31 have not been operational in Q2 2024. Our team has seen 31 new ransomware groups in 2024. It’s unlikely that many, if any of these projects will survive.
RansomHub’s fast advancement and aggressive affiliate strategy
RansomHub, a new extortion platform operational since early 2024 and believed to be based in Russia, has quickly established itself by offering lucrative terms to affiliates, significantly impacting the ransomware affiliate market. RansomHub is disrupting the RaaS field by letting affiliates accept payment from the victims directly, before sending their share to the RansomHub. What’s more, by allowing affiliates to keep a major portion of the ransom and only taking a small commission, RansomHub has managed to attract experienced groups like ScatteredSpider and members of Lockbit.
RansomHub’s operational capacity, threat level and the number of victims have consequently increased. According to our research team, RansomHub is in fact currently the most active platform observed in the field. In the same fashion, ZeroFox accounts the platform to be responsible for 14.2 % of all cyber attacks in Q3 2024. The majority of victims are in North America (39.4%) and Europe (34.3%). Victims are across diverse sectors, for example manufacturing, retail, healthcare, technology.
At the same time, CISA, along with the FBI, MS-ISAC, and HHS, issued a joint Cybersecurity Advisory on RansomHub Ransomware. This advisory offers network defenders key details such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) tied to RansomHub, drawing on findings from recent FBI investigations and third-party reports.
RansomHub has been using sophisticated EDR-killing executable tooling. It disables endpoint detection and response (EDR) software and gains escalated privileges on compromised devices, while designed to bypass several common anti-malware tools. The malware has been found in many formats such as EXEs and PowerShell scripts.
Real-life impacts of ransomware fallouts
Financially driven ransomware attacks can have notoriously severe impacts on victims. Overall, our research team has found that ransom payments and incidents remain higher in the first half of 2024 compared to previous years.
Dark Angels behind a record ransom payment
In early 2024, Zscaler and Chainalysis detected a monumental ransom payment of $75 million directed to a cryptocurrency wallet managed by the Dark Angels ransomware group. The identification of the victim was not disclosed as per standard reporting practices, but it is strongly suggested that the payor was Cencora, a Fortune 50 pharmaceutical company. Why so? Cencora publicly acknowledged a ransomware attack and data theft in February 2024, making them a probable candidate. The company, valued at $10 billion with annual revenues reaching $262 billion in 2023, found the payment necessary to restore operations and prevent further data leaks.
Further investigations reveal that the attack’s ramifications extended beyond Cencora. The company, along with at least two of its subsidiaries, reported stolen data to regulators, implicating a broader network of affected entities. In May, additional disclosures indicated that the data breach had impacted numerous major pharmaceutical companies including Pfizer, Bayer and Novartis, among others. These partners also experienced breaches connected to Cencora’s compromised systems, specifically through the Lash group subsidiary.
The sizable ransom from this single incident highlights Dank Angels’ impact. The strategy employed by Dark Angels suggests a focus on high-value targets – often termed “big game hunting” – which involves fewer, highly profitable attacks rather than numerous smaller-scale ones. It’s difficult to say whether Dark Angels have an intentional strategy of big game hunting, or if they just got lucky.
There were no major outages or operational disruptions reported (at least so far). However, the widespread effects of this attack, involving a network of companies with a combined revenue in the trillions, illustrate the extensive potential for damage and disruption caused by ransomware operations targeting major players in critical industries.
Japanese media giant’s market value plummets in the ransomware attack aftermath
Another example, the ransomware strike on Japanese media company Kadokawa Corporation served as a stark reminder of the broad and enduring impacts such attacks can have on businesses. The assault not only disrupted daily operations but also inflicted severe financial and reputational damage. Prior to the attack in early June, Kadokawa’s market value stood at approximately JP¥465 billion (USD$3 billion). Following the incident, its share price plummeted by 15%. Subsequently, this erased JP¥70 billion (USD$500 million) from its market capitalization. This significant drop in share price, which appears solely attributed to the ransomware attack, underscores the high stakes of cybersecurity in protecting not just operational capabilities but also financial stability and public perception.
Public health at stake
The National Health Laboratory Service (NHLS) of South Africa suffered a ransomware attack on June 22nd. The attack continued to disrupt services into July. This attack has been particularly critical as it hindered access to laboratory test results amid an outbreak of mpox disease. This incident demonstrates how significantly ransomware impacts public health and safety of citizens globally.
To pay or not to pay
Ransomware groups often aim to build trust with victims by promising data recovery upon ransom payment, giving false hopes that this will restore normal operations. Ransomware operators often brand themselves as ‘pentesters’ with the intention to appear professional and reassure victims about data deletion and decryption.
Despite this, the majority of organizations paying ransoms suffer subsequent attacks, often facing even higher demands than before. Cybereason reaserch claims that percentage of victims facing a second attack is as high as 78%.
Ransomware operators are unreliable and their assurances of not targeting victims again should not be trusted. Therefore, paying a ransom based on trust in these actors is not advisable. Acknowledging research that quantifies the deceitfulness of ransomware actors is crucial, as it together with prohibiting legislation significantly influences the ransomware landscape.
Salesforce security implications of the current threat landscape
The emergence of new ransomware groups and the evolving tactics suggest that Salesforce environments are likely to be increasingly targeted as an alternative to traditional and easier to detect vectors. In fact, we’ve detected a 366% increase in malicious files on Salesforce in Q2 2024 compared to Q2 2023.
For Salesforce, it’s important to stay vigilant against ransomware campaigns that leverage Salesforce as a channel for malware delivery or social engineering tactics to lure users to phishing sites. Besides human errors, novel campaigns can target vulnerabilities in cloud environments or through third-party integrations.
Salesforce security recommendations simply put
Constantly transforming threats require a layered and proactive approach to cybersecurity. No silver bullets. Because of that, we’ve compiled a comprehensive list of Salesforce security recommendations in light of recent cyber crime developments:
Auditing: Activate comprehensive auditing that covers cloud environments including Salesforce to identify and patch security gaps.
AntiVirus: Threat protection such as WithSecure™ Cloud Protection for Salesforce solutions at the entry-point such as Salesforce together with endpoint security will block the majority of file-based ransomware threats. Make sure that the solution has up-to-date threat intelligence source.
Employee training and awareness: Social engineering remains a significant threat vector. Training Salesforce users to recognize phishing attempts and other social engineering tactics is critical.
AntiPhishing: By implementing an antiphishing solution on Salesforce level, you can automatically stop phishing attacks. It’s important to go beyond traditional attack vectors like email.
Strengthened access controls: Enforce strict conditional access to mitigate credential compromise. Salesforce environments should adopt the principle of least privilege. Routinely audit permissions.
Third-party risk management: As Salesforce often integrates with numerous third-party applications, ensuring these connections are secure is essential to prevent ransomware spread or data leaks. You should choose security tools based on integration simplicity, preferring native solutions.
Data management policies: The revelation that Lockbit held onto data it claimed to have deleted is a crucial reminder of the risks involved in data handling and storage. You should implement robust data encryption, regular audits, and follow strict data handling and deletion protocols to minimize potential damage.
Limit BYOD: The breach of Disney’s Slack data resulted from a malware infection on an employee’s personal device – a reminder to limit allowing personal devices into corporate systems.
Extortion preparation and response: You should include Salesforce in incident response strategies. This means close collaboration between security and Salesforce teams, having secure and tested Salesforce backups and a clear communication plan for dealing with ransom demands.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
With Dreamforce 2024 upon us, WithSecure™ Cloud Protection for Salesforce is excited to announce customer and product milestones that underscore how we have become the leading trusted and natively integrated solution for securing Salesforce. We would not have achieved these milestones without the support of our customers and partners and, of course, Salesforce. And, speaking of Dreamforce, the Cloud Protection for Salesforce team will be at Booth 2005 to answer your Salesforce security questions regarding malware, ransomware, and other threats to your Salesforce instance.
Leading Brands Trust Cloud Protection for Salesforce
Joining the ranks of companies like Coca-Cola Bottlers, Southern Glazers and SiriusXM, Cloud Protection for Salesforce added 44 new customers in the first six months of 2024. “Even in this tough economic climate, Cloud Protection for Salesforce has delivered unmatched security and compliance protection for enterprise and public sector organizations,” said Lance Jacobs, Vice President of Cloud Protection for Salesforce. “Our customer growth reflects the surging popularity of the Salesforce platform as a core enterprise solution that is increasingly the target of nefarious threat actors. That is why an easy-to-deploy, easy-to-use security solution to defend from malware, phishing and ransomware attacks is in high demand.”
Learn more about Cloud Protection for Salesforce
“By using WithSecure for Cloud Protection, customers can satisfy their security obligations as defined by the Shared Responsibility Model,” said Juhana Autio, General Manager of Cloud Protection for Salesforce. “Our natively-integrated application stops cyber threats like ransomware and phishing in real-time. We scan Salesforce’s incoming and outgoing data for cyber threats, such as files and URLs. The WithSecure for Cloud Protection solution is up and operating in minutes, leaves customers’ customizations untouched, and keeps Salesforce running undisrupted. That is why over 200 enterprises and public sector organizations worldwide use Cloud Protection for Salesforce and why it is a recommended security solution by Salesforce.”
New Product Features Further Ease Salesforce Security
Cloud Protection for Salesforce works closely with Salesforce and customers to develop new mission-critical features and capabilities. New features are added every quarter. Here are some of the latest additions now available on Salesforce AppExchange:
URL Protection Within Files: Malicious links can lurk inside files, waiting to be clicked. WithSecure™ Cloud Protection for Salesforce detects and blocks malicious URLs hidden inside files uploaded to Salesforce.
QR Code Scanning: WithSecure™ Cloud Protection for Salesforce also scans URLs behind QR codes uploaded to Salesforce. QR codes pose a risk as they can lure users to access dangerous phishing sites with their mobile devices.
Shortened URL Protection: Shortened URLs are often a mask for risky content and can bypass traditional security controls. WithSecure™ Cloud Protection for Salesforce now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking a threat.
URL Protection for Salesforce Custom Objects: URL Protection has expanded to include both Salesforce’s standard objects and custom ones. Custom objects, tailored to specific company or industry needs, are unique database tables that store organization-specific information. Now, Salesforce users can build custom workflows with enhanced security.
Presence and Demonstrations at Dreamforce 2024
Cloud Protection for Salesforce will showcase live demonstrations at Dreamforce 2024, booth 2005. Security experts and consultants will be available to discuss all matters related to Salesforce security and how Cloud Protection for Salesforce can address an enterprise’s Salesforce security requirements. Visitors can pre-book meeting times with Cloud Protection for Salesforce experts.
Additional Resources
Learn more about Cloud Protection for Salesforce, take a test drive and read user reviews on Salesforce AppExchange
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance
Follow us on LinkedIn and read the Cloud Protection for Salesforce blog
In the wake of the fallout from the outage, IT teams are rapidly reevaluating their testing methodologies, incident response strategies and plans. Additionally, enterprises are rethinking the automated, manual and human oversight of code development, testing and deployment.
The CrowdStrike incident falls into the category of ‘unknown unknowns’—unexpected or unforeseeable conditions that represent a risk because they cannot be expected based on past experience or events.
A quick CrowdStrike recap: A single computer update took down computer systems across the globe
CrowdStrike is a cybersecurity company based in Austin, Texas, USA. It provides endpoint protection, threat intelligence and response services to customers of all sizes across many different industries. CrowdStrike’s core technology, the Falcon platform, stops breaches using cloud-delivered technologies that prevent malware and other attacks.
CrowdStrike has an outstanding track record and is an excellent company. Customers and competitors view CrowdStrike as an industry-leading, top-tier organization. Their impressive customer roster and global deployments underscore their success.
As part of a regular operational update on Friday, July 19, 2024, CrowdStrike pushed a configuration update for the Windows sensor to gather telemetry on possible novel threat techniques. Included in that update were changes to the Rapid Response Content, designed to respond to the changing threat landscape at operational speed. The Rapid Response Content update contained an undetected error, resulting in a Windows system crash. Detailed information about the error and the systems impacted can be found here.
The crash was not foreseen or anticipated based on prior events, nor was the resulting damage and inconvenience expected or forecast. The incident impacted at least 8.5 million Windows devices globally (though Microsoft now believes the number of devices involved was higher), causing major service disruptions across industries and geographies.
Early on during the incident, CrowdStrike took immediate action to remedy the situation, and they should be applauded for their rapid and transparent response to the crisis.
The biggest worldwide workstation shutdown
Even with their rapid response, CrowdStrike could not stop the avalanche of IT disruption that followed. WithSecure’s Chief Research Officer Mikko Hyppönen, quoted in Wired, said, “It’s the biggest case in history. We’ve never had a worldwide workstation outage like this.” According to insurer Parametrix, U.S. Fortune 500 companies, excluding Microsoft, face an estimated $5.4 billion in financial losses from the CrowdStrike event.
How can enterprises defend against “unknown unknowns” and mitigate cybersecurity vulnerabilities?
CrowdStrike has documented and made public the events that led to the incident. However, in the aftermath, enterprises everywhere are (or should be) evaluating their incident response strategies and plans, including:
Continuous, robust automated testing procedures and protocols with human and AI oversight
Incident Response strategies, plans and procedures:
Continual Learning and Adaptation
Ongoing testing and training
Securing Salesforce: Defending against the often overlooked ‘known knowns’
One lesson learned from this incident is that security teams must double down against the more obvious IT vulnerabilities and cover any existing gaps: The known-knowns.
For example, nearly every Fortune 500 organization uses Salesforce to manage customer relationships. However, many of those organizations assume that Salesforce takes ownership of all security aspects of their product offering. They do, but only up to a point.
The Shared Responsibility Model (SRM), used by most cloud providers, is used by Salesforce for securing Salesforce. This security and compliance architecture model delineates the respective cloud provider and customer responsibilities for securing the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls and access rights.
For example, Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the customer.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious and disallowed content from entering your Salesforce environment via files, web links and email messages.
WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce.
While it may be impossible to defend against unknown unknowns, defending against the ‘known knowns’ and securing Salesforce is much easier. Get to know WithSecure Cloud Protection for Salesforce, or use the form below to contact our team to discuss your Salesforce security requirements.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
The recent attack at CDK Global, a software-as-a-service vendor for more than 15,000 car dealerships, is a clear reminder of the ever-present threat that cybercriminals pose. And, since many in the automotive industry are also Salesforce users, Salesforce security should be top-of-mind.
What happened to customers of CDK Global?
The cyberattack began on June 19. It caused widespread disruption at about 15,000 North American auto dealers that rely on CDK’s management software. Accordingly, the potential financial impact of this attack is staggering. Some industry analysts estimate the cost could reach up to $16 billion. Further, the disruption extends to all aspects of the automotive ecosystem, including repair services, supply chain, vendor payroll services, etc. It is a sobering reminder of the collateral damage caused by such attacks.
Details on the CDK Global attack have not been officially or publicly disclosed. However, many accounts suggest the company was subject to a ransomware attack. Ransomware can be delivered in various ways, with malware or phishing attacks being the most common vector. But here is what we do know about the sequence of events:
June 18, 2024: CDK Global experienced its first ransomware attack, resulting in the encryption of critical files and systems. Dealerships across North America lost the ability to track and order new parts, schedule service, and manage inventories. Dealers also reported they could not complete sales transactions or process payrolls.
June 19, 2024: CDK Global shut down its IT systems to initiate a system recovery. Then, during recovery operations, the company experienced a second cyberattack.
June 21, 2024:Bloomberg reported that the ransomware gang BlackSuit had demanded “tens of millions of dollars” from CDK and that CDK was planning to pay up.
June 24, 2024: CDK again announced it had restarted the restoration process.
July 4, 2024: Most CDK customers were back online. Many reported huge transaction backlogs that would take weeks to resolve.
It is unclear whether BlackSuit will use or attempt to sell the customer and business data obtained during the attack.
The CDK attack is a reminder to always invest in Cybersecurity
In the wake of the CDK attack, automotive industry influencers have called on dealers to review their IT and software application infrastructure. For example, Autonews ran an opinion piece that did not mince words: The CDK attack is a wake-up call for dealers. The message in the article is clear: Dealers must now prepare for business continuity management and make cybersecurity a strong priority.
Auto and truck dealers often rely on Salesforce to help manage their customer relationships, sales and service operations, and marketing campaigns. As such, Salesforce security should be top-of-mind for every organization. While Salesforce applies advanced technologies to secure its infrastructure to protect customer data, it acknowledges that cybersecurity is a shared responsibility. Thus, customers must further strengthen the security of their Salesforce instance.
Salesforce emphasizes that customers must take charge of anti-abuse, fraud detection, and prevention measures. Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the user.
While we don’t know the exact vector that led to the CDL Global hack, malware and phishing often lead to ransomware attacks.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a Salesforce security solution designed to mitigate the risk of advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce. Additionally, it is used and recommended by Salesforce.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
