Phishing is not confined to email but is a pervasive threat across our digital infrastructure. Salesforce, with its extensive cloud applications and public-facing nature, is emerging as a prime target for such cyber threats. Comprehensive phishing defenses should include Salesforce as an attack vector.
Phishing attacks have evolved but so have email defenses
While 41% of cyber attacks use phishing tactics, an alarming 26% of these attacks now exploit public-facing applications (like Salesforce), according to IBM’s report. Furthermore, 16% of phishing attacks misuse valid accounts.
Email, the traditional stronghold against phishing, has long been hardened through anti-malware and anti-phishing tools combined with consistent user education, with many providers offering built-in defenses and organizations adopting phishing simulation training. These measures have significantly heightened user vigilance and reduced the click rates on malicious emails.
How Salesforce becomes the entryway for cyber criminals
Salesforce serves as a central hub for diverse interactions across Sales, Service, and Experience Clouds, presenting multiple avenues for cyber threats. Each user interaction, whether from internal or external sources, could potentially introduce malicious content. Salesforce is vulnerable to the same types of attacks that have plagued email for decades.
Internal users frequently engage in routine activities like uploading documents and sharing URLs. For example, a sales representative might attach a contract embedded with malware in Sales Cloud, or a support agent may inadvertently attach a compromised troubleshooting guide in Service Cloud. Similarly, community managers in Experience Cloud might share links that lead to malicious sites.
The risk also involves unauthenticated users such as customers or potential leads who upload attachments in support cases or via Web-to-Lead forms. These necessary business interactions, if unchecked, provide easy entry points for cybercriminals.
Furthermore, authenticated users on Experience Cloud portals often share significant project files or access collaborative spaces, unintentionally spreading malware. The integration of APIs, which connects Salesforce with external systems like ERP software or tools like Slack, adds another layer of vulnerability. Each data transfer across these connections is a potential breach point.
Salesforce security falls short of email security standards
However, the security measures guarding Salesforce have not evolved at the same pace. There are no built-in anti-virus, anti-phishing, or basic spam filters that are standard in email services. This oversight leaves an obvious hole in cybersecurity strategies.
“Salesforce, often overlooked as an attack vector, presents a significant vulnerability in too many cyber security strategies,” notes Anssi Korpilaakso, Director of Sales and Business Operations at WithSecure™. “Our product backend has registered a steady increase in malware and phishing detections on Salesforce in the recent years.”
Salesforce users typically perceive Salesforce as a trusted tool, and are less likely to anticipate or recognize a phishing attack on the platform compared to email. This sense of trust is exactly what attackers who use psychological phishing schemes exploit.
Email: lessons for multi-layered Salesforce security
As cyber criminals continue to refine their strategies and target systems beyond traditional attack vectors like email, organizations must protect every entry point, including Salesforce. Learning from the widely adopted email security measures and applying these lessons to Salesforce helps fortify your digital infrastructure against dynamic cyber threats.
To tackle phishing effectively, you must adopt a multi-layered defense strategy that goes beyond email and encompasses Salesforce, your business critical platform. Here’s how you can start:
User training: Just as with email, the first line of defense is user awareness. Training users to recognize phishing attempts in Salesforce is crucial, as the platform’s familiar and trusted environment may lower their guard against suspicious activities. Although user education is important, you should not expect your Salesforce users to act as phishing detectives.
Integrate real-time threat protection: Given the lack of built-in anti-phishing and anti-malware features in Salesforce, integrating advanced security solutions that can provide real-time threat protection is essential. Solutions like WithSecure™ Cloud Protection for Salesforce offer tailored security measures that fit seamlessly into Salesforce, enhancing security without disrupting user experience.
What to consider when choosing the solution
When selecting a threat protection solution for Salesforce, you should prioritize efficiency, comprehensive coverage, and advanced detection capabilities that match today’s sophisticated cyber threats. Considerations for calculated decision-making:
Prioritize solutions that add minimal complexity and avoid vulnerable integrations, focusing on native, straightforward security layers.
Choose solutions that protect not only internal users but also mitigate the risk of malware spreading to customers and partners interacting with Salesforce by scanning uploads and downloads across various user types.
Consider the evolving nature of threats, such as documents that contain latent phishing links, which may turn malicious after being uploaded to Salesforce, and after the initial scan at the point of upload. Opt for solutions that provide real-time protection, scanning content like files and URLs during all user interactions, not just at the point of upload.
Ensure the solution offers real-time scanning and advanced behavioral analysis to detect embedded malware in seemingly benign documents, moving beyond traditional signature-based methods.
Select solutions that encompass all Salesforce entry points, including custom objects in addition to standard objects, to ensure comprehensive coverage.
Look for deep detection capabilities that can scan for malicious phishing links not only in text and emails but also within files, detect phishing links hidden behind QR codes, and identify zero-day malware in files as well as known threats.
WithSecure™ Cloud Protection for Salesforce eliminates risk of human error in real-time
Robust security measures equivalent to enterprise-grade email security help you experience the full potential of Salesforce without hidden risks. WithSecure™ delivers an advanced antivirus and antiphishing solution tailored uniquely for Salesforce. Developed in collaboration with Salesforce, WithSecure™ Cloud Protection for Salesforce meets the stringent requirements of highly regulated industries and government entities. You get real-time defenses against malware, ransomware, viruses, and phishing attacks, along with full security visibility for threat hunting and incident response. Multi-layer scanning ensures that every entry and touchpoint – from the Sales Cloud negotiations to Service Cloud interactions and Experience Cloud engagements – is covered.
Native integration ensures rapid deployment and comprehensive security without disrupting your existing Salesforce workflows.
Don’t let human error become your vulnerability in Salesforce security – especially when there are straightforward technologies to mitigate the risk. Whenever you are ready to take the next step, our team is ready to guide you in your Salesforce security.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
Parking scams using fraudulent QR codes have been wreaking havoc in popular tourist cities across Europe and North America recently. Have you ever considered that malicious QR codes could infiltrate your Salesforce? Read on to learn what QR code attacks look like, why Salesforce is an attractive target for them, and how you can stop them.
The rise of quishing
It’s not long since Police Service of Northern Ireland (PSNI) Cyber Crime Centre, posted a notice about malicious QR codes in phishing attacks. Quishing, or QR code phishing, involves the deceptive use of QR codes to lure unsuspecting individuals into visiting malicious websites. There they are tricked to reveal personal credentials, or unknowingly download malware. QR codes are used for everything from restaurant menus to ticket validations. At the the same time, cybercriminals have found ample opportunities for exploitation. Distinguishing between legitimate and fraudulent QR codes is difficult for human eyes. Fortunately, there are preventive security technologies – now also for Salesforce.
Examples of quishing attacks in the wild
A typical quishing email might mimic an official communication from a known corporation. It can for example urge the recipient to scan a QR code to handle something urgent, like reset a password or verify an account.
Another method involves embedding a QR code inside a seemingly innocent message related to work processes like payroll or security updates. One of the recent examples targeted a major energy company in the US with a campaign that imitated a Microsoft security notification.
On the other hand, scammers have also found ways to abuse QR codes scams in public spaces. Such example is the recent QR parking scam in popular tourist cities across UK. The scam involves malicious QR codes, often placed on parking meters, that direct users to phishing websites. Unsuspecting victims enter personal information, including payment details, under the guise of paying for parking. As a result, they potentially face double trouble with both financial fraud and a parking ticket.
10,000 victims have already fallen for the said parking scam in a matter of two months. Therat actors have launched similar campaigns across Europe, United states and Canada. These scams often target tourists who are not familiar with the local parking apps, thus easier to deceive.
The quishing attack kill-chain
In the digital world, quishing typically begins with a QR code sent via email or text. The recipient then scans the code with a mobile device. The victim is then redirected to a harmful site.
The phishing site typically mimics a legitimate business resource, login page, or document portal. The page then prompts the employee to enter their credentials or download a file.
By entering their credentials, employees inadvertently provide attackers with access to their corporate accounts. Attackers can use the credentials to harvest sensitive information or launch an attack within the organization.
The process capitalizes on the established trust in QR codes. QR codes are handy to roll out covert operations. Quishing attacks are often harder to detect than traditional phishing attacks, or ones with the malicious link plainly imbedded in the message text. As these codes simply appear as nondescript, benign images, they bypass usual text-based URL scans implemented by most email and collaboration security systems.
QR code phishing tactics:
Integration in familiar platforms: Quishing often uses popular platforms to reach a broad audience, and to exploit trusted services and brand names to increase the success rate of attacks.
Sophistication in execution: By embedding malicous QR codes within messages, attackers can bypass conventional security measures which might not scan URLs embedded in images.
The psychological play: The decision to scan a QR code often happens impulsively, thanks to the established norm of their use in safe contexts. This impulsivity is what quishers count on, reducing the victim’s likelihood of pausing to consider the potential dangers.
What makes QR code phishing especially tricky on Salesforce
All in all, malicious QR codes pose a significant threat to enterprises, and when delivered through platforms like Salesforce, they can be particularly effective and damaging. Here’s why Salesforce is a lucrative vector for such attacks, and why you should secure your platform without delay:
High trust environment
Users view Salesforce as a trusted platform for daily tasks in sales management, and customer support. Employees are less vigilant about scrutinizing communications received through this platform, assuming a baseline level of security and trust. This trust can make QR codes sent through Salesforce particularly effective as employees may be quicker to scan them without suspicion. The scam itself could even leverage Salesforce’s brand identity. QR codes also employ common and seemingly harmless image types, decreasing suspicions.
Widespread use in organizations
Especially large enterprises use Salefsorce widely, which provides a broad attack surface. Malicious QR codes distributed through Salesforce can potentially reach a large number of users quickly, making it the attackers dream.
Mobile device engagement
Salesforce is frequently accessed via mobile devices, which aligns well with the nature of QR code scanning. Mobile devices are often less secure than desktops, with users typically having weaker security controls and being more prone to overlook security prompts when they are on the move. If bring-your-own-device (BYOD) is allowed, the mobile device may be a personal unmanaged device, with even weaker security measures in place.
No antiphishing blocking the way
While Salesforce offers robust security features, there are no antiphishing capabilities by default. There likely is no layer of protection in the Salesforce environment to detect or prevent the distribution of malicious QR codes, opening a pathway for the attackers.
You need more than awareness to prevent Salesforce QR code quishing
While educating users about the potential threats of randomly scanning QR codes is without a doubt important, true prevention requires a multifaceted approach:
Advanced threat protection: You should implement antiphishing security solutions that can recognize and examine QR codes within Salesforce uploads, analyzing the linked URLs for malicious content before they reach end users.
Regular security audits: Incorporating QR code-based phishing into routine security audits and risk assessments helps identify and remediate security gaps. Make sure to ensure that Salesforce is covered thoroughly in security audits.
Limit access privileges: Although Salesforce has enforced multi-factor authentication for MFA for internal users, it’s wise to limit access rights to what a user’s role requires, and follow the least privilege approach.
Update software and configurations: Ensure all integrations are updated with the latest security patches, and verify that your antiphishing scanning solution is properly configured to detect malicious QR codes.
Limit use of BYOD: Some of the biggest vulnerabilities lie when employees use personal devices outside corporate security measures to access phishing sites that harvest account credentials.
Educate Salesforce users: Continuously educate users about the risks associated with QR codes, emphasizing the need for vigilance even when using trusted platforms like Salesforce.
Block malicious QR codes on Salesforce automatically
You need a blend of vigilance and advanced security solutions to prevent covert phishing tactics like quishing. Luckily you can protect your data and Salesforce users from these hidden scams behind simple scans. WithSecure™ Cloud Protection for Salesforce scans malicious URLs in Salesforce text fields, behind QR codes and within uploaded documents. Our AntiQuishing feature was built as a response to a real-life phishing attack that our enterprise customer faced, where Salesforce was the target of malicious QR codes.
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
This time our threat landscape focus is on ransomware and its implications for cloud services, specifically Salesforce. With attackers increasingly targeting cloud services and public-facing apps, and a 366% increase in malicious file detections on Salesforce in Q2 2024 compared to Q2 2023, ransomware is not a threat to be taken lightly in any Salesforce security strategy.
Cyber threat landscape shifts toward cloud and SaaS exploitation
Cyber threat landscape is seeing an increased focus on the cloud. Attackers have recently leveraged legitimate file transfer and cloud services to facilitate their operations more and more. These services offer a low-key and cost-effective infrastructure which tends not to trigger security alerts as some more traditional methods might.
Symantec’s Threat Hunter Team has recently identified three new espionage operations utilizing cloud services and has uncovered additional malicious tools in development:
GoGra (Trojan.Gogra): Targets a South Asian media organization using Microsoft’s Graph API for C&C communications via email, encrypting messages with AES-256. Developed in Go, active since November 2023.
Firefly Tool: Used by the Firefly group to exfiltrate data from a Southeast Asian military organization. It searches for and uploads .jpg files (actually encrypted RARs) from System32, using Google Drive.
Trojan.Grager: Targets entities in Taiwan, Hong Kong, and Vietnam, using Microsoft’s Graph API via OneDrive for C&C. Distributed through a Trojanized 7-Zip installer, linked to the UNC5330 group.
MoonTag: A developing backdoor associated with a Chinese-speaking actor, noted for its use of the Graph API and discussed in a Google Group.
Salesforce and SaaS applications are targets of UNC3944 threat group
Salesforce and SaaS are becoming more prevalent in the threat landscape. Google Threat Intelligence has observed the activities of UNC3944, a financially motivated threat group that has been active since at least May 2022, and has recently targeted SaaS applications. Initially focused on credential harvesting and SIM swapping, UNC3944 has since shifted to primarily conducting data theft extortion, expanding their target industries and utilizing fearmongering tactics for access. They’ve adapted their methods to include theft from SaaS applications to attacker-owned cloud storage and have employed various advanced techniques to facilitate their attacks.
UNC3944 accessed Salesforce among other SaaS applications using stolen credentials facilitated by single sign-on systems. They conducted reconnaissance within these platforms, likely targeting data for exfiltration, and using third-party cloud synchronization tools like Airbyte and Fivetran to transfer data to external cloud storage.
Key Tactics, Techniques, and Procedures (TTPs) of UNC3944:
Social engineering: They have successfully manipulated corporate help desks using victims’ personal information to gain access to privileged accounts and bypass multi-factor authentication (MFA).
Abuse of SaaS permissions: UNC3944 exploited permissions in applications like Okta to broaden their access within targets’ systems, encompassing both on-premises infrastructure and cloud-based applications.
Virtual machine compromise: The group has created new virtual machines using administrative privileges obtained through SSO applications, using them for subsequent malicious activities and to bypass traditional security controls.
The use of cloud services by attackers is becoming a preferred method for maintaining stealth and managing cost-effective operations. The attackers are learning from each other, adopting successful techniques across various espionage and cybercriminal groups. Extensive coverage of cloud and SaaS environments in security strategies has never been more critical.
Disney moves away from Slack after a data breach of 1 TB – likely caused by a human error
In a major data breach, Disney experienced a significant compromise of corporate data, possibly due to vulnerabilities on an employee’s personal gaming computer. This breach led to the downloading of over 1TB of data through Slack, which resulted in the suspension of the platform for internal communications.
Our team doesn’t have the forensics data of the case, but some experts claim that the breach was not a direct result of flaws in Disney’s or Slack’s systems. Instead, it allegedly occurred because an employee inadvertently installed a malware-infected game modification. This malware, an Information Stealer, captured credentials and accessed Slack, where it exploited the employee’s compromised computer. The lack of Multi-Factor Authentication (MFA) on the password vault allowed attackers to access vast amounts of sensitive data easily.
Some experts suspect that the attackers were helped by an insider, and others that the breach was a result of a general lack of defensive mechanisms at Disney’s end.
A teenager leveraged Slack and stole details about unreleased GTA 6 from the gaming company Rockstar in 2022. The attacker was sentenced to life.
In 2023, another threat actor exploited access to Slack channels to initiate a malware attack on MGM Resorts, a major global casino and resort.
Almost half of ServiceNow KB instances leak sensitive data
A study by AppOmni revealed that over the past year nearly 45% of ServiceNow Knowledge Base (KB) instances were leaking sensitive data, including personal identifiers, internal system details, and live system credentials. The culprit of these breaches were outdated or misconfigured access controls. This is possibly due to widespread misunderstanding of KB access controls or replicating misconfigurations across instances.
Despite ServiceNow’s 2023 security updates aimed at restricting unauthenticated data access, many of these updates were ineffective for KBs, which often contain highly sensitive internal data. The company has responded by collaborating with customers so that KB access control misconfigurations are fixed.
The disruption has led to a sharp decrease in the number of victims, with reported cases falling to single digits. Despite these setbacks, there have been notable attempts to revamp their operations. For example. they have made experimental changes to their data leak sites (DLS) and updates to their DDoS protections. These maneuvers suggest a strategic recalibration aimed at evading detection and sustaining their criminal activities.
Despite significant law enforcement interventions, the Lockbit group’s ability to adapt and attempt to rebuild its infrastructure is indicative of the resilience and persistence of modern ransomware operations. These groups are quick to learn from interventions, often emerging more sophisticated and harder to combat.
Ransomware-as-a-Service is the business model of cyber crime in 2024
The disruption on major ransomware groups has led to a reshuffling of ransomware affiliates, gravitating towards established Ransomware-as-a-Service (RaaS) networks. RaaS is a subscription-based model that enables affiliates to use pre-developed ransomware tools to execute cyberattacks. Similar to software-as-a-service (SaaS) offerings, RaaS providers offer their malicious software on a rental or commission basis, providing updates and support.
All in all, the professionalization of ransomware operations through RaaS models presents new challenges for cybersecurity defenses. These models facilitate a lower barrier to entry for inexperienced cybercriminals and enable rapid scaling of operations. The attraction of RaaS platforms has flooded in new ransomware variants, correspondingly calling for layered defense strategies.
New threats on the block: new groups form as old dismantle
Our research team has also witnessed the rise of new players such as Cicada3301, SenSayQ, and WikiLeaksV2. Each group has demonstrated distinct patterns of targeting and victimology, such as targeting financial software companies and leaking sensitive health sector data. With this in mind, these emerging groups underscore the dynamic nature of the ransomware ecosystem. They continually evolve with new tactics and targets.
The group dynamics are in a constant flux. For example, from the total number of 67 operational ransomware groups our research team has tracked in 2023, 31 have not been operational in Q2 2024. Our team has seen 31 new ransomware groups in 2024. It’s unlikely that many, if any of these projects will survive.
RansomHub’s fast advancement and aggressive affiliate strategy
RansomHub, a new extortion platform operational since early 2024 and believed to be based in Russia, has quickly established itself by offering lucrative terms to affiliates, significantly impacting the ransomware affiliate market. RansomHub is disrupting the RaaS field by letting affiliates accept payment from the victims directly, before sending their share to the RansomHub. What’s more, by allowing affiliates to keep a major portion of the ransom and only taking a small commission, RansomHub has managed to attract experienced groups like ScatteredSpider and members of Lockbit.
RansomHub’s operational capacity, threat level and the number of victims have consequently increased. According to our research team, RansomHub is in fact currently the most active platform observed in the field. In the same fashion, ZeroFox accounts the platform to be responsible for 14.2 % of all cyber attacks in Q3 2024. The majority of victims are in North America (39.4%) and Europe (34.3%). Victims are across diverse sectors, for example manufacturing, retail, healthcare, technology.
At the same time, CISA, along with the FBI, MS-ISAC, and HHS, issued a joint Cybersecurity Advisory on RansomHub Ransomware. This advisory offers network defenders key details such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) tied to RansomHub, drawing on findings from recent FBI investigations and third-party reports.
RansomHub has been using sophisticated EDR-killing executable tooling. It disables endpoint detection and response (EDR) software and gains escalated privileges on compromised devices, while designed to bypass several common anti-malware tools. The malware has been found in many formats such as EXEs and PowerShell scripts.
Real-life impacts of ransomware fallouts
Financially driven ransomware attacks can have notoriously severe impacts on victims. Overall, our research team has found that ransom payments and incidents remain higher in the first half of 2024 compared to previous years.
Dark Angels behind a record ransom payment
In early 2024, Zscaler and Chainalysis detected a monumental ransom payment of $75 million directed to a cryptocurrency wallet managed by the Dark Angels ransomware group. The identification of the victim was not disclosed as per standard reporting practices, but it is strongly suggested that the payor was Cencora, a Fortune 50 pharmaceutical company. Why so? Cencora publicly acknowledged a ransomware attack and data theft in February 2024, making them a probable candidate. The company, valued at $10 billion with annual revenues reaching $262 billion in 2023, found the payment necessary to restore operations and prevent further data leaks.
Further investigations reveal that the attack’s ramifications extended beyond Cencora. The company, along with at least two of its subsidiaries, reported stolen data to regulators, implicating a broader network of affected entities. In May, additional disclosures indicated that the data breach had impacted numerous major pharmaceutical companies including Pfizer, Bayer and Novartis, among others. These partners also experienced breaches connected to Cencora’s compromised systems, specifically through the Lash group subsidiary.
The sizable ransom from this single incident highlights Dank Angels’ impact. The strategy employed by Dark Angels suggests a focus on high-value targets – often termed “big game hunting” – which involves fewer, highly profitable attacks rather than numerous smaller-scale ones. It’s difficult to say whether Dark Angels have an intentional strategy of big game hunting, or if they just got lucky.
There were no major outages or operational disruptions reported (at least so far). However, the widespread effects of this attack, involving a network of companies with a combined revenue in the trillions, illustrate the extensive potential for damage and disruption caused by ransomware operations targeting major players in critical industries.
Japanese media giant’s market value plummets in the ransomware attack aftermath
Another example, the ransomware strike on Japanese media company Kadokawa Corporation served as a stark reminder of the broad and enduring impacts such attacks can have on businesses. The assault not only disrupted daily operations but also inflicted severe financial and reputational damage. Prior to the attack in early June, Kadokawa’s market value stood at approximately JP¥465 billion (USD$3 billion). Following the incident, its share price plummeted by 15%. Subsequently, this erased JP¥70 billion (USD$500 million) from its market capitalization. This significant drop in share price, which appears solely attributed to the ransomware attack, underscores the high stakes of cybersecurity in protecting not just operational capabilities but also financial stability and public perception.
Public health at stake
The National Health Laboratory Service (NHLS) of South Africa suffered a ransomware attack on June 22nd. The attack continued to disrupt services into July. This attack has been particularly critical as it hindered access to laboratory test results amid an outbreak of mpox disease. This incident demonstrates how significantly ransomware impacts public health and safety of citizens globally.
To pay or not to pay
Ransomware groups often aim to build trust with victims by promising data recovery upon ransom payment, giving false hopes that this will restore normal operations. Ransomware operators often brand themselves as ‘pentesters’ with the intention to appear professional and reassure victims about data deletion and decryption.
Despite this, the majority of organizations paying ransoms suffer subsequent attacks, often facing even higher demands than before. Cybereason reaserch claims that percentage of victims facing a second attack is as high as 78%.
Ransomware operators are unreliable and their assurances of not targeting victims again should not be trusted. Therefore, paying a ransom based on trust in these actors is not advisable. Acknowledging research that quantifies the deceitfulness of ransomware actors is crucial, as it together with prohibiting legislation significantly influences the ransomware landscape.
Salesforce security implications of the current threat landscape
The emergence of new ransomware groups and the evolving tactics suggest that Salesforce environments are likely to be increasingly targeted as an alternative to traditional and easier to detect vectors. In fact, we’ve detected a 366% increase in malicious files on Salesforce in Q2 2024 compared to Q2 2023.
For Salesforce, it’s important to stay vigilant against ransomware campaigns that leverage Salesforce as a channel for malware delivery or social engineering tactics to lure users to phishing sites. Besides human errors, novel campaigns can target vulnerabilities in cloud environments or through third-party integrations.
Salesforce security recommendations simply put
Constantly transforming threats require a layered and proactive approach to cybersecurity. No silver bullets. Because of that, we’ve compiled a comprehensive list of Salesforce security recommendations in light of recent cyber crime developments:
Auditing: Activate comprehensive auditing that covers cloud environments including Salesforce to identify and patch security gaps.
AntiVirus: Threat protection such as WithSecure™ Cloud Protection for Salesforce solutions at the entry-point such as Salesforce together with endpoint security will block the majority of file-based ransomware threats. Make sure that the solution has up-to-date threat intelligence source.
Employee training and awareness: Social engineering remains a significant threat vector. Training Salesforce users to recognize phishing attempts and other social engineering tactics is critical.
AntiPhishing: By implementing an antiphishing solution on Salesforce level, you can automatically stop phishing attacks. It’s important to go beyond traditional attack vectors like email.
Strengthened access controls: Enforce strict conditional access to mitigate credential compromise. Salesforce environments should adopt the principle of least privilege. Routinely audit permissions.
Third-party risk management: As Salesforce often integrates with numerous third-party applications, ensuring these connections are secure is essential to prevent ransomware spread or data leaks. You should choose security tools based on integration simplicity, preferring native solutions.
Data management policies: The revelation that Lockbit held onto data it claimed to have deleted is a crucial reminder of the risks involved in data handling and storage. You should implement robust data encryption, regular audits, and follow strict data handling and deletion protocols to minimize potential damage.
Limit BYOD: The breach of Disney’s Slack data resulted from a malware infection on an employee’s personal device – a reminder to limit allowing personal devices into corporate systems.
Extortion preparation and response: You should include Salesforce in incident response strategies. This means close collaboration between security and Salesforce teams, having secure and tested Salesforce backups and a clear communication plan for dealing with ransom demands.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
With Dreamforce 2024 upon us, WithSecure™ Cloud Protection for Salesforce is excited to announce customer and product milestones that underscore how we have become the leading trusted and natively integrated solution for securing Salesforce. We would not have achieved these milestones without the support of our customers and partners and, of course, Salesforce. And, speaking of Dreamforce, the Cloud Protection for Salesforce team will be at Booth 2005 to answer your Salesforce security questions regarding malware, ransomware, and other threats to your Salesforce instance.
Leading Brands Trust Cloud Protection for Salesforce
Joining the ranks of companies like Coca-Cola Bottlers, Southern Glazers and SiriusXM, Cloud Protection for Salesforce added 44 new customers in the first six months of 2024. “Even in this tough economic climate, Cloud Protection for Salesforce has delivered unmatched security and compliance protection for enterprise and public sector organizations,” said Lance Jacobs, Vice President of Cloud Protection for Salesforce. “Our customer growth reflects the surging popularity of the Salesforce platform as a core enterprise solution that is increasingly the target of nefarious threat actors. That is why an easy-to-deploy, easy-to-use security solution to defend from malware, phishing and ransomware attacks is in high demand.”
Learn more about Cloud Protection for Salesforce
“By using WithSecure for Cloud Protection, customers can satisfy their security obligations as defined by the Shared Responsibility Model,” said Juhana Autio, General Manager of Cloud Protection for Salesforce. “Our natively-integrated application stops cyber threats like ransomware and phishing in real-time. We scan Salesforce’s incoming and outgoing data for cyber threats, such as files and URLs. The WithSecure for Cloud Protection solution is up and operating in minutes, leaves customers’ customizations untouched, and keeps Salesforce running undisrupted. That is why over 200 enterprises and public sector organizations worldwide use Cloud Protection for Salesforce and why it is a recommended security solution by Salesforce.”
New Product Features Further Ease Salesforce Security
Cloud Protection for Salesforce works closely with Salesforce and customers to develop new mission-critical features and capabilities. New features are added every quarter. Here are some of the latest additions now available on Salesforce AppExchange:
URL Protection Within Files: Malicious links can lurk inside files, waiting to be clicked. WithSecure™ Cloud Protection for Salesforce detects and blocks malicious URLs hidden inside files uploaded to Salesforce.
QR Code Scanning: WithSecure™ Cloud Protection for Salesforce also scans URLs behind QR codes uploaded to Salesforce. QR codes pose a risk as they can lure users to access dangerous phishing sites with their mobile devices.
Shortened URL Protection: Shortened URLs are often a mask for risky content and can bypass traditional security controls. WithSecure™ Cloud Protection for Salesforce now uncovers and blocks these threats, ensuring that every link is verified, whether shortened for convenience or masking a threat.
URL Protection for Salesforce Custom Objects: URL Protection has expanded to include both Salesforce’s standard objects and custom ones. Custom objects, tailored to specific company or industry needs, are unique database tables that store organization-specific information. Now, Salesforce users can build custom workflows with enhanced security.
Presence and Demonstrations at Dreamforce 2024
Cloud Protection for Salesforce will showcase live demonstrations at Dreamforce 2024, booth 2005. Security experts and consultants will be available to discuss all matters related to Salesforce security and how Cloud Protection for Salesforce can address an enterprise’s Salesforce security requirements. Visitors can pre-book meeting times with Cloud Protection for Salesforce experts.
Additional Resources
Learn more about Cloud Protection for Salesforce, take a test drive and read user reviews on Salesforce AppExchange
Book a demo to see Cloud Protection for Salesforce live and learn how it can protect your Salesforce instance
Follow us on LinkedIn and read the Cloud Protection for Salesforce blog
In the wake of the fallout from the outage, IT teams are rapidly reevaluating their testing methodologies, incident response strategies and plans. Additionally, enterprises are rethinking the automated, manual and human oversight of code development, testing and deployment.
The CrowdStrike incident falls into the category of ‘unknown unknowns’—unexpected or unforeseeable conditions that represent a risk because they cannot be expected based on past experience or events.
A quick CrowdStrike recap: A single computer update took down computer systems across the globe
CrowdStrike is a cybersecurity company based in Austin, Texas, USA. It provides endpoint protection, threat intelligence and response services to customers of all sizes across many different industries. CrowdStrike’s core technology, the Falcon platform, stops breaches using cloud-delivered technologies that prevent malware and other attacks.
CrowdStrike has an outstanding track record and is an excellent company. Customers and competitors view CrowdStrike as an industry-leading, top-tier organization. Their impressive customer roster and global deployments underscore their success.
As part of a regular operational update on Friday, July 19, 2024, CrowdStrike pushed a configuration update for the Windows sensor to gather telemetry on possible novel threat techniques. Included in that update were changes to the Rapid Response Content, designed to respond to the changing threat landscape at operational speed. The Rapid Response Content update contained an undetected error, resulting in a Windows system crash. Detailed information about the error and the systems impacted can be found here.
The crash was not foreseen or anticipated based on prior events, nor was the resulting damage and inconvenience expected or forecast. The incident impacted at least 8.5 million Windows devices globally (though Microsoft now believes the number of devices involved was higher), causing major service disruptions across industries and geographies.
Early on during the incident, CrowdStrike took immediate action to remedy the situation, and they should be applauded for their rapid and transparent response to the crisis.
The biggest worldwide workstation shutdown
Even with their rapid response, CrowdStrike could not stop the avalanche of IT disruption that followed. WithSecure’s Chief Research Officer Mikko Hyppönen, quoted in Wired, said, “It’s the biggest case in history. We’ve never had a worldwide workstation outage like this.” According to insurer Parametrix, U.S. Fortune 500 companies, excluding Microsoft, face an estimated $5.4 billion in financial losses from the CrowdStrike event.
How can enterprises defend against “unknown unknowns” and mitigate cybersecurity vulnerabilities?
CrowdStrike has documented and made public the events that led to the incident. However, in the aftermath, enterprises everywhere are (or should be) evaluating their incident response strategies and plans, including:
Continuous, robust automated testing procedures and protocols with human and AI oversight
Incident Response strategies, plans and procedures:
Continual Learning and Adaptation
Ongoing testing and training
Securing Salesforce: Defending against the often overlooked ‘known knowns’
One lesson learned from this incident is that security teams must double down against the more obvious IT vulnerabilities and cover any existing gaps: The known-knowns.
For example, nearly every Fortune 500 organization uses Salesforce to manage customer relationships. However, many of those organizations assume that Salesforce takes ownership of all security aspects of their product offering. They do, but only up to a point.
The Shared Responsibility Model (SRM), used by most cloud providers, is used by Salesforce for securing Salesforce. This security and compliance architecture model delineates the respective cloud provider and customer responsibilities for securing the cloud environment, including hardware, infrastructure, endpoints, data, configurations, settings, operating system, network controls and access rights.
For example, Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the customer.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a native application that runs in your Salesforce environment. The app prevents malicious and disallowed content from entering your Salesforce environment via files, web links and email messages.
WithSecure Cloud Protection for Salesforce focuses on securing Salesforce to mitigate advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce.
While it may be impossible to defend against unknown unknowns, defending against the ‘known knowns’ and securing Salesforce is much easier. Get to know WithSecure Cloud Protection for Salesforce, or use the form below to contact our team to discuss your Salesforce security requirements.
BOOK A DEMO
Secure your Salesforce today
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.
Support from our experts with setup and configurations
The recent attack at CDK Global, a software-as-a-service vendor for more than 15,000 car dealerships, is a clear reminder of the ever-present threat that cybercriminals pose. And, since many in the automotive industry are also Salesforce users, Salesforce security should be top-of-mind.
What happened to customers of CDK Global?
The cyberattack began on June 19. It caused widespread disruption at about 15,000 North American auto dealers that rely on CDK’s management software. Accordingly, the potential financial impact of this attack is staggering. Some industry analysts estimate the cost could reach up to $16 billion. Further, the disruption extends to all aspects of the automotive ecosystem, including repair services, supply chain, vendor payroll services, etc. It is a sobering reminder of the collateral damage caused by such attacks.
Details on the CDK Global attack have not been officially or publicly disclosed. However, many accounts suggest the company was subject to a ransomware attack. Ransomware can be delivered in various ways, with malware or phishing attacks being the most common vector. But here is what we do know about the sequence of events:
June 18, 2024: CDK Global experienced its first ransomware attack, resulting in the encryption of critical files and systems. Dealerships across North America lost the ability to track and order new parts, schedule service, and manage inventories. Dealers also reported they could not complete sales transactions or process payrolls.
June 19, 2024: CDK Global shut down its IT systems to initiate a system recovery. Then, during recovery operations, the company experienced a second cyberattack.
June 21, 2024:Bloomberg reported that the ransomware gang BlackSuit had demanded “tens of millions of dollars” from CDK and that CDK was planning to pay up.
June 24, 2024: CDK again announced it had restarted the restoration process.
July 4, 2024: Most CDK customers were back online. Many reported huge transaction backlogs that would take weeks to resolve.
It is unclear whether BlackSuit will use or attempt to sell the customer and business data obtained during the attack.
The CDK attack is a reminder to always invest in Cybersecurity
In the wake of the CDK attack, automotive industry influencers have called on dealers to review their IT and software application infrastructure. For example, Autonews ran an opinion piece that did not mince words: The CDK attack is a wake-up call for dealers. The message in the article is clear: Dealers must now prepare for business continuity management and make cybersecurity a strong priority.
Auto and truck dealers often rely on Salesforce to help manage their customer relationships, sales and service operations, and marketing campaigns. As such, Salesforce security should be top-of-mind for every organization. While Salesforce applies advanced technologies to secure its infrastructure to protect customer data, it acknowledges that cybersecurity is a shared responsibility. Thus, customers must further strengthen the security of their Salesforce instance.
Salesforce emphasizes that customers must take charge of anti-abuse, fraud detection, and prevention measures. Salesforce doesn’t scan incoming data for cyber threats – that’s your responsibility as the user.
While we don’t know the exact vector that led to the CDL Global hack, malware and phishing often lead to ransomware attacks.
WithSecure Cloud Protection for Salesforce: Designed with and for Salesforce
WithSecure Cloud Protection for Salesforce is a Salesforce security solution designed to mitigate the risk of advanced cyber threats on Salesforce. It:
Provides real-time protection and instant visibility into your entire environment
Works seamlessly with your customizations and workflows
Fully complements the infrastructure security controls that Salesforce provides
WithSecure Cloud Protection for Salesforce is a highly certified solution. It meets the strict compliance requirements of modern enterprises and critical public sector organizations. Furthermore, It is an ideal choice for enhancing your Salesforce security. WithSecure Cloud Protection for Salesforce was designed for Salesforce, together with Salesforce. Additionally, it is used and recommended by Salesforce.
Tailored for high compliance sectors, our certified solution safeguards Salesforce clouds for global enterprises, including finance, healthcare, and the public sector.