Attacks/Breaches

9/9/2014
12:37 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Salesforce Passwords At Risk From Dyre

Bank credential-stealing malware evolves into targeting SaaS users.

Just a few months after being found out by security researchers, the criminals behind the new Dyre bank credential-stealing malware are branching out with a another method of attack using the malicious software. This time they've evolved their approach to also target software-as-a-service (SaaS) users, as evidenced by a new barrage of attacks against Salesforce customers.

Late last week, Salesforce warned its customers that they are being targeted by criminals utilizing Dyre to steal their login credentials to the customer relationship management site.

“Dyre will initially infect users through some form of social engineering, typically with an email that contains a malicious attachment," explains Jerome Segura, senior security researcher for Malwarebytes. "Once on the system, the malware can act as a man in the middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.”

[The heyday of phishing is far from over. Read Phishing: What Once Was Old Is New Again.] 

Nevertheless, Salesforce sent an email on Friday warning of the attacks, noting that as of yet it had not confirmed evidence that any of its customers had actually been impacted by the attack. For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre. It also suggests customers activate IP range restrictions so users can only access salesforce.com through the corporate network or VPN as well as the use of SAML authentication capabilities and two-factor authentication layers offered by Salesforce.

Also known as Dyreza, Dyre was first discovered by the security community in June. At that time, researchers noted that it was one of the few new strains of credential-stealing malware to feature code not derived from the Zeus malware family. Most notably, it was the malware criminals used to perpetrate a phishing campaign against JP Morgan Chase customers last month. But the Salesforce attack marks a shift for Dyre, which has definitely increased in prevalence since initial discovery this summer, says Tomer Weingarten, CEO of end-point security firm SentinelOne.

"We’ve also seen the evolution of Dyre. The original variants were primarily used to target banks to commit online fraud," he says. "New variants are being used in phishing schemes that target other industries and now cloud services."

As Weingarten explains, one of the unique aspects of Dyre is its capability to hijack SSL traffic without the victim's knowledge.

"This means all encrypted data accessed by the victim via their browser passes through a third-party server," he says. "Most banking malware just steals credentials; this one can also steal all browser-accessed data."

As a result, some organizations may find that as important as it is to have two-factor authentication, it may not be a silver bullet for stopping Dyre.

"In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values," says Zulfikar Ramzan, CTO of cloud security firm Elastica. "Through standard automation techniques, these token values can be exploited by the attackers in real time."

Weingarten recommends that in addition to bolstering anti-phishing training for employees, organizations must fight threats like Dyre by using anti-malware technology that inspects application behavior rather than relying on file inspection.

"To stay ahead of advanced attacks we need an approach that uses on-device execution inspection to detect anomalies and malicious behaviors like traffic re-routing, browser plug-ins (and) RAT capabilities, in real time," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2014 | 12:20:50 PM
Re: More user awareness about phishing and social engineering
I do not mean to hammer on CIOs, but what about the CIOs who believe that "all things IT" should belong to them, including security? Do they not realize the inherent conflict of interest in that line of thinking? Unless those CIOs are credentialed or experienced security professionals, they do not possess enough security knowledge or expertise to manage security. Most of them are really engaged in empire building, so that they alone control resources for "all things IT". I believe this is how Target was structured when they were breached, and in spite of that incident, continue to be structured in that way; dare I say, "the old fashioned way". IMHO, this shows a lack of vision by sticking to a strategy that is no longer relevant or effective in today's threat landscape. This very topic was discussed in a Dark Reading Radio discussion a short time back and clearly, the participants were mostly against that strategy (I actually do not recall that anyone was for it).
SgS125
50%
50%
SgS125,
User Rank: Ninja
9/10/2014 | 11:31:37 AM
I bet you meant "now"
"For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre."

 

I'll bet you meant to say customers should check to see if the malware is caught by their anti-virus solution.  At least that is what the email said to us.

I find it refreshing that Salesforce took the time to contact it's customers even though the attack has nothing to do with their infrastructure.

We need more proactive measures like this to help us combat the ever more co-ordinated attacks we face in todays world.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:26:38 AM
Re: More user awareness about phishing and social engineering
Keep fighting the good fight aws0513! I find this one the most remarkable:
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
aws0513
50%
50%
aws0513,
User Rank: Ninja
9/10/2014 | 10:50:01 AM
Re: More user awareness about phishing and social engineering
End user awareness of risk associated with IT systems is likely the largest weakness in the war against cybercrime.

The following list hopefully illustrates my point.  It is based upon the incidents I have had to remediate within the last 6 months.  Not in any order.
  • Users that click on any url link thrown at them on any web page or email.
  • Users that open attachments because they look interesting (shiny!!).
  • Users that are managers that feel that security funding is optional.
  • Users that are project managers that fail to integrate security into the project plan.
  • Users that believe that hacking only happens to the other guy.
  • Users that use the same password on all their accounts.
  • Users that use "Passw0rd" as their password...  or similar situation.
  • Users that accept a phone call and believe the caller is a technician from vendor X that is calling to help them with a problem they have detected on the users workstation.
  • Users that decide that playing online games at work is ok.
  • Users that feel they need to be able to install any software whenever they feel it is useful or necessary.
  • Users that consider corporate network web filtering a form of "big brother".
  • Users that believe they have a right to listen to music on their office workstation.
  • Users that believe they have a right to have a CD/DVD drive on their workstation.
  • Users that decide to send regulatory data to anyone that emails them for information.
  • Users that feel they need administrative control of the servers they use for work because they are the system owner (not the system administrative role).
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
  • Users that think vendor platform X is more secure that vendor platform Y because [insert unsubstantiated reason here].
  • Users that believe they know everything about IT security.  (I'm a IT security pro with 15+ years experience and even I cannot honestly make that claim).

I'm sure some of you out there could add a few more items.

I like to joke that end users are my #1 reason for my job security. 
But I am honestly and forever disenchanted by the fact that a large number of end users are just not on the right track when it comes to IT security.  I fully understand there is a lot to know.  Every day I need to review and revisit concepts to make sure I am on top of the latest developments.  But I believe everyone needs to become more cautious and aware of what bad-ness is out there.

With all security, it only takes one weakness to allow for a compromise.

I will keep fighting the good fight, with the simple hope that somewhere I am helping make a difference.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 8:11:05 AM
More user awareness about phishing and social engineering
Interesting (and not surprising) that experts recommend increased user awareness training about phishing attacks. That conforms to our current poll on social engineering where we ask Dark Reading community members what is the most dangerous social engineering threat to organizations. Results so far: "Employees aren't  aware of it (56% of respondents) and phishing emails (26%). If you haven't yet weighed in on the poll, you can scroll to the right column on your computer screen, or go to http://www.darkreading.com/editorial-poll/hacking-humans/d/d-id/1307012.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...