Attacks/Breaches
9/9/2014
12:37 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Salesforce Passwords At Risk From Dyre

Bank credential-stealing malware evolves into targeting SaaS users.

Just a few months after being found out by security researchers, the criminals behind the new Dyre bank credential-stealing malware are branching out with a another method of attack using the malicious software. This time they've evolved their approach to also target software-as-a-service (SaaS) users, as evidenced by a new barrage of attacks against Salesforce customers.

Late last week, Salesforce warned its customers that they are being targeted by criminals utilizing Dyre to steal their login credentials to the customer relationship management site.

“Dyre will initially infect users through some form of social engineering, typically with an email that contains a malicious attachment," explains Jerome Segura, senior security researcher for Malwarebytes. "Once on the system, the malware can act as a man in the middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.”

[The heyday of phishing is far from over. Read Phishing: What Once Was Old Is New Again.] 

Nevertheless, Salesforce sent an email on Friday warning of the attacks, noting that as of yet it had not confirmed evidence that any of its customers had actually been impacted by the attack. For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre. It also suggests customers activate IP range restrictions so users can only access salesforce.com through the corporate network or VPN as well as the use of SAML authentication capabilities and two-factor authentication layers offered by Salesforce.

Also known as Dyreza, Dyre was first discovered by the security community in June. At that time, researchers noted that it was one of the few new strains of credential-stealing malware to feature code not derived from the Zeus malware family. Most notably, it was the malware criminals used to perpetrate a phishing campaign against JP Morgan Chase customers last month. But the Salesforce attack marks a shift for Dyre, which has definitely increased in prevalence since initial discovery this summer, says Tomer Weingarten, CEO of end-point security firm SentinelOne.

"We’ve also seen the evolution of Dyre. The original variants were primarily used to target banks to commit online fraud," he says. "New variants are being used in phishing schemes that target other industries and now cloud services."

As Weingarten explains, one of the unique aspects of Dyre is its capability to hijack SSL traffic without the victim's knowledge.

"This means all encrypted data accessed by the victim via their browser passes through a third-party server," he says. "Most banking malware just steals credentials; this one can also steal all browser-accessed data."

As a result, some organizations may find that as important as it is to have two-factor authentication, it may not be a silver bullet for stopping Dyre.

"In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values," says Zulfikar Ramzan, CTO of cloud security firm Elastica. "Through standard automation techniques, these token values can be exploited by the attackers in real time."

Weingarten recommends that in addition to bolstering anti-phishing training for employees, organizations must fight threats like Dyre by using anti-malware technology that inspects application behavior rather than relying on file inspection.

"To stay ahead of advanced attacks we need an approach that uses on-device execution inspection to detect anomalies and malicious behaviors like traffic re-routing, browser plug-ins (and) RAT capabilities, in real time," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2014 | 12:20:50 PM
Re: More user awareness about phishing and social engineering
I do not mean to hammer on CIOs, but what about the CIOs who believe that "all things IT" should belong to them, including security? Do they not realize the inherent conflict of interest in that line of thinking? Unless those CIOs are credentialed or experienced security professionals, they do not possess enough security knowledge or expertise to manage security. Most of them are really engaged in empire building, so that they alone control resources for "all things IT". I believe this is how Target was structured when they were breached, and in spite of that incident, continue to be structured in that way; dare I say, "the old fashioned way". IMHO, this shows a lack of vision by sticking to a strategy that is no longer relevant or effective in today's threat landscape. This very topic was discussed in a Dark Reading Radio discussion a short time back and clearly, the participants were mostly against that strategy (I actually do not recall that anyone was for it).
SgS125
50%
50%
SgS125,
User Rank: Ninja
9/10/2014 | 11:31:37 AM
I bet you meant "now"
"For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre."

 

I'll bet you meant to say customers should check to see if the malware is caught by their anti-virus solution.  At least that is what the email said to us.

I find it refreshing that Salesforce took the time to contact it's customers even though the attack has nothing to do with their infrastructure.

We need more proactive measures like this to help us combat the ever more co-ordinated attacks we face in todays world.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:26:38 AM
Re: More user awareness about phishing and social engineering
Keep fighting the good fight aws0513! I find this one the most remarkable:
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/10/2014 | 10:50:01 AM
Re: More user awareness about phishing and social engineering
End user awareness of risk associated with IT systems is likely the largest weakness in the war against cybercrime.

The following list hopefully illustrates my point.  It is based upon the incidents I have had to remediate within the last 6 months.  Not in any order.
  • Users that click on any url link thrown at them on any web page or email.
  • Users that open attachments because they look interesting (shiny!!).
  • Users that are managers that feel that security funding is optional.
  • Users that are project managers that fail to integrate security into the project plan.
  • Users that believe that hacking only happens to the other guy.
  • Users that use the same password on all their accounts.
  • Users that use "Passw0rd" as their password...  or similar situation.
  • Users that accept a phone call and believe the caller is a technician from vendor X that is calling to help them with a problem they have detected on the users workstation.
  • Users that decide that playing online games at work is ok.
  • Users that feel they need to be able to install any software whenever they feel it is useful or necessary.
  • Users that consider corporate network web filtering a form of "big brother".
  • Users that believe they have a right to listen to music on their office workstation.
  • Users that believe they have a right to have a CD/DVD drive on their workstation.
  • Users that decide to send regulatory data to anyone that emails them for information.
  • Users that feel they need administrative control of the servers they use for work because they are the system owner (not the system administrative role).
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
  • Users that think vendor platform X is more secure that vendor platform Y because [insert unsubstantiated reason here].
  • Users that believe they know everything about IT security.  (I'm a IT security pro with 15+ years experience and even I cannot honestly make that claim).

I'm sure some of you out there could add a few more items.

I like to joke that end users are my #1 reason for my job security. 
But I am honestly and forever disenchanted by the fact that a large number of end users are just not on the right track when it comes to IT security.  I fully understand there is a lot to know.  Every day I need to review and revisit concepts to make sure I am on top of the latest developments.  But I believe everyone needs to become more cautious and aware of what bad-ness is out there.

With all security, it only takes one weakness to allow for a compromise.

I will keep fighting the good fight, with the simple hope that somewhere I am helping make a difference.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 8:11:05 AM
More user awareness about phishing and social engineering
Interesting (and not surprising) that experts recommend increased user awareness training about phishing attacks. That conforms to our current poll on social engineering where we ask Dark Reading community members what is the most dangerous social engineering threat to organizations. Results so far: "Employees aren't  aware of it (56% of respondents) and phishing emails (26%). If you haven't yet weighed in on the poll, you can scroll to the right column on your computer screen, or go to http://www.darkreading.com/editorial-poll/hacking-humans/d/d-id/1307012.
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.