12:37 PM
Connect Directly

Salesforce Passwords At Risk From Dyre

Bank credential-stealing malware evolves into targeting SaaS users.

Just a few months after being found out by security researchers, the criminals behind the new Dyre bank credential-stealing malware are branching out with a another method of attack using the malicious software. This time they've evolved their approach to also target software-as-a-service (SaaS) users, as evidenced by a new barrage of attacks against Salesforce customers.

Late last week, Salesforce warned its customers that they are being targeted by criminals utilizing Dyre to steal their login credentials to the customer relationship management site.

“Dyre will initially infect users through some form of social engineering, typically with an email that contains a malicious attachment," explains Jerome Segura, senior security researcher for Malwarebytes. "Once on the system, the malware can act as a man in the middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.”

[The heyday of phishing is far from over. Read Phishing: What Once Was Old Is New Again.] 

Nevertheless, Salesforce sent an email on Friday warning of the attacks, noting that as of yet it had not confirmed evidence that any of its customers had actually been impacted by the attack. For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre. It also suggests customers activate IP range restrictions so users can only access through the corporate network or VPN as well as the use of SAML authentication capabilities and two-factor authentication layers offered by Salesforce.

Also known as Dyreza, Dyre was first discovered by the security community in June. At that time, researchers noted that it was one of the few new strains of credential-stealing malware to feature code not derived from the Zeus malware family. Most notably, it was the malware criminals used to perpetrate a phishing campaign against JP Morgan Chase customers last month. But the Salesforce attack marks a shift for Dyre, which has definitely increased in prevalence since initial discovery this summer, says Tomer Weingarten, CEO of end-point security firm SentinelOne.

"We’ve also seen the evolution of Dyre. The original variants were primarily used to target banks to commit online fraud," he says. "New variants are being used in phishing schemes that target other industries and now cloud services."

As Weingarten explains, one of the unique aspects of Dyre is its capability to hijack SSL traffic without the victim's knowledge.

"This means all encrypted data accessed by the victim via their browser passes through a third-party server," he says. "Most banking malware just steals credentials; this one can also steal all browser-accessed data."

As a result, some organizations may find that as important as it is to have two-factor authentication, it may not be a silver bullet for stopping Dyre.

"In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values," says Zulfikar Ramzan, CTO of cloud security firm Elastica. "Through standard automation techniques, these token values can be exploited by the attackers in real time."

Weingarten recommends that in addition to bolstering anti-phishing training for employees, organizations must fight threats like Dyre by using anti-malware technology that inspects application behavior rather than relying on file inspection.

"To stay ahead of advanced attacks we need an approach that uses on-device execution inspection to detect anomalies and malicious behaviors like traffic re-routing, browser plug-ins (and) RAT capabilities, in real time," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/10/2014 | 12:20:50 PM
Re: More user awareness about phishing and social engineering
I do not mean to hammer on CIOs, but what about the CIOs who believe that "all things IT" should belong to them, including security? Do they not realize the inherent conflict of interest in that line of thinking? Unless those CIOs are credentialed or experienced security professionals, they do not possess enough security knowledge or expertise to manage security. Most of them are really engaged in empire building, so that they alone control resources for "all things IT". I believe this is how Target was structured when they were breached, and in spite of that incident, continue to be structured in that way; dare I say, "the old fashioned way". IMHO, this shows a lack of vision by sticking to a strategy that is no longer relevant or effective in today's threat landscape. This very topic was discussed in a Dark Reading Radio discussion a short time back and clearly, the participants were mostly against that strategy (I actually do not recall that anyone was for it).
User Rank: Ninja
9/10/2014 | 11:31:37 AM
I bet you meant "now"
"For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre."


I'll bet you meant to say customers should check to see if the malware is caught by their anti-virus solution.  At least that is what the email said to us.

I find it refreshing that Salesforce took the time to contact it's customers even though the attack has nothing to do with their infrastructure.

We need more proactive measures like this to help us combat the ever more co-ordinated attacks we face in todays world.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:26:38 AM
Re: More user awareness about phishing and social engineering
Keep fighting the good fight aws0513! I find this one the most remarkable:
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
User Rank: Ninja
9/10/2014 | 10:50:01 AM
Re: More user awareness about phishing and social engineering
End user awareness of risk associated with IT systems is likely the largest weakness in the war against cybercrime.

The following list hopefully illustrates my point.  It is based upon the incidents I have had to remediate within the last 6 months.  Not in any order.
  • Users that click on any url link thrown at them on any web page or email.
  • Users that open attachments because they look interesting (shiny!!).
  • Users that are managers that feel that security funding is optional.
  • Users that are project managers that fail to integrate security into the project plan.
  • Users that believe that hacking only happens to the other guy.
  • Users that use the same password on all their accounts.
  • Users that use "Passw0rd" as their password...  or similar situation.
  • Users that accept a phone call and believe the caller is a technician from vendor X that is calling to help them with a problem they have detected on the users workstation.
  • Users that decide that playing online games at work is ok.
  • Users that feel they need to be able to install any software whenever they feel it is useful or necessary.
  • Users that consider corporate network web filtering a form of "big brother".
  • Users that believe they have a right to listen to music on their office workstation.
  • Users that believe they have a right to have a CD/DVD drive on their workstation.
  • Users that decide to send regulatory data to anyone that emails them for information.
  • Users that feel they need administrative control of the servers they use for work because they are the system owner (not the system administrative role).
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
  • Users that think vendor platform X is more secure that vendor platform Y because [insert unsubstantiated reason here].
  • Users that believe they know everything about IT security.  (I'm a IT security pro with 15+ years experience and even I cannot honestly make that claim).

I'm sure some of you out there could add a few more items.

I like to joke that end users are my #1 reason for my job security. 
But I am honestly and forever disenchanted by the fact that a large number of end users are just not on the right track when it comes to IT security.  I fully understand there is a lot to know.  Every day I need to review and revisit concepts to make sure I am on top of the latest developments.  But I believe everyone needs to become more cautious and aware of what bad-ness is out there.

With all security, it only takes one weakness to allow for a compromise.

I will keep fighting the good fight, with the simple hope that somewhere I am helping make a difference.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 8:11:05 AM
More user awareness about phishing and social engineering
Interesting (and not surprising) that experts recommend increased user awareness training about phishing attacks. That conforms to our current poll on social engineering where we ask Dark Reading community members what is the most dangerous social engineering threat to organizations. Results so far: "Employees aren't  aware of it (56% of respondents) and phishing emails (26%). If you haven't yet weighed in on the poll, you can scroll to the right column on your computer screen, or go to
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Norsk Hydro Shuts Plants Amid Ransomware Attack
Kelly Sheridan, Staff Editor, Dark Reading,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.