Computest Security's Incident Response Team has flagged a spike in cybercriminals abusing vulnerabilities in the configuration of Salesforce systems. This allows criminals to gain access to the application, potentially capturing large amounts of sensitive data. Companies working with the systems are thus at serious risk of a data breach. These organisations are advised to check and adjust settings as soon as possible and follow the security enhancements that are recommended by Salesforce.
To exploit the vulnerabilities, cybercriminals exploit stolen login credentials obtained through the installation of malware or phishing attacks. Next, they easily access the data via a standard Salesforce component, the DataloaderPartnerUI. The component allows users to access APIs without requiring multi-factor authentication. However, this also allows relatively easy large-scale data theft from the systems. Computest Security's Incident Response Team says it is notable that this is a default setting in Salesforce applications.
IP range setting also causes data vulnerability
Besides the lack of multi-factor authentication, it has been observed that in several Salesforce tenants the setting for the trusted IP range is too permissive and includes all IP addresses (0.0.0.0 - 255.255.255.255). This configuration also allows anyone with compromised login data to access and extract data.
‘We clearly see that the modus operandi of cybercriminals to get data from organisations has changed,’ says Daan Keuper security expert and ethical hacker at Computest Security. ‘Improved endpoint security has shifted the focus to exploiting vulnerabilities in other components such as, in this case, apps. I expect we will see this more and more. This makes it imperative to pay serious attention to security both at configuration and during operation of the systems and to continuously monitor to protect the data of the organisation and all stakeholders.’
Advice for strengthening security
To strengthen security, Computest Security advises organisations to check and limit their trusted IP range settings and set up multi-factor authentication. Further information on how to improve security for these vulnerabilities can be found on the Salesforce blog.