Salesforce Passwords At Risk From Dyre

Bank credential-stealing malware evolves into targeting SaaS users

Just a few months after being found out by security researchers, the criminals behind the new Dyre bank credential-stealing malware are branching out with a another method of attack using the malicious software. This time they've evolved their approach to also target software-as-a-service (SaaS) users, as evidenced by a new barrage of attacks against Salesforce customers.

Late last week, Salesforce warned its customers that they are being targeted by criminals utilizing Dyre to steal their login credentials to the customer relationship management site.

“Dyre will initially infect users through some form of social engineering, typically with an email that contains a malicious attachment," explains Jerome Segura, senior security researcher for Malwarebytes. "Once on the system, the malware can act as a man in the middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.”

[The heyday of phishing is far from over. Read Phishing: What Once Was Old Is New Again.] 

Nevertheless, Salesforce sent an email on Friday warning of the attacks, noting that as of yet it had not confirmed evidence that any of its customers had actually been impacted by the attack. For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre. It also suggests customers activate IP range restrictions so users can only access through the corporate network or VPN as well as the use of SAML authentication capabilities and two-factor authentication layers offered by Salesforce.

Also known as Dyreza, Dyre was first discovered by the security community in June. At that time, researchers noted that it was one of the few new strains of credential-stealing malware to feature code not derived from the Zeus malware family. Most notably, it was the malware criminals used to perpetrate a phishing campaign against JP Morgan Chase customers last month. But the Salesforce attack marks a shift for Dyre, which has definitely increased in prevalence since initial discovery this summer, says Tomer Weingarten, CEO of end-point security firm SentinelOne.

"We’ve also seen the evolution of Dyre. The original variants were primarily used to target banks to commit online fraud," he says. "New variants are being used in phishing schemes that target other industries and now cloud services."

As Weingarten explains, one of the unique aspects of Dyre is its capability to hijack SSL traffic without the victim's knowledge.

"This means all encrypted data accessed by the victim via their browser passes through a third-party server," he says. "Most banking malware just steals credentials; this one can also steal all browser-accessed data."

As a result, some organizations may find that as important as it is to have two-factor authentication, it may not be a silver bullet for stopping Dyre.

"In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values," says Zulfikar Ramzan, CTO of cloud security firm Elastica. "Through standard automation techniques, these token values can be exploited by the attackers in real time."

Weingarten recommends that in addition to bolstering anti-phishing training for employees, organizations must fight threats like Dyre by using anti-malware technology that inspects application behavior rather than relying on file inspection.

"To stay ahead of advanced attacks we need an approach that uses on-device execution inspection to detect anomalies and malicious behaviors like traffic re-routing, browser plug-ins (and) RAT capabilities, in real time," he says.