Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:37 PM
Connect Directly

Salesforce Passwords At Risk From Dyre

Bank credential-stealing malware evolves into targeting SaaS users.

Just a few months after being found out by security researchers, the criminals behind the new Dyre bank credential-stealing malware are branching out with a another method of attack using the malicious software. This time they've evolved their approach to also target software-as-a-service (SaaS) users, as evidenced by a new barrage of attacks against Salesforce customers.

Late last week, Salesforce warned its customers that they are being targeted by criminals utilizing Dyre to steal their login credentials to the customer relationship management site.

“Dyre will initially infect users through some form of social engineering, typically with an email that contains a malicious attachment," explains Jerome Segura, senior security researcher for Malwarebytes. "Once on the system, the malware can act as a man in the middle and intercept every single keystroke. To be clear, this is not a vulnerability with Salesforce or its website, but rather a type of malware that leverages compromised end-point machines.”

[The heyday of phishing is far from over. Read Phishing: What Once Was Old Is New Again.] 

Nevertheless, Salesforce sent an email on Friday warning of the attacks, noting that as of yet it had not confirmed evidence that any of its customers had actually been impacted by the attack. For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre. It also suggests customers activate IP range restrictions so users can only access salesforce.com through the corporate network or VPN as well as the use of SAML authentication capabilities and two-factor authentication layers offered by Salesforce.

Also known as Dyreza, Dyre was first discovered by the security community in June. At that time, researchers noted that it was one of the few new strains of credential-stealing malware to feature code not derived from the Zeus malware family. Most notably, it was the malware criminals used to perpetrate a phishing campaign against JP Morgan Chase customers last month. But the Salesforce attack marks a shift for Dyre, which has definitely increased in prevalence since initial discovery this summer, says Tomer Weingarten, CEO of end-point security firm SentinelOne.

"We’ve also seen the evolution of Dyre. The original variants were primarily used to target banks to commit online fraud," he says. "New variants are being used in phishing schemes that target other industries and now cloud services."

As Weingarten explains, one of the unique aspects of Dyre is its capability to hijack SSL traffic without the victim's knowledge.

"This means all encrypted data accessed by the victim via their browser passes through a third-party server," he says. "Most banking malware just steals credentials; this one can also steal all browser-accessed data."

As a result, some organizations may find that as important as it is to have two-factor authentication, it may not be a silver bullet for stopping Dyre.

"In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values," says Zulfikar Ramzan, CTO of cloud security firm Elastica. "Through standard automation techniques, these token values can be exploited by the attackers in real time."

Weingarten recommends that in addition to bolstering anti-phishing training for employees, organizations must fight threats like Dyre by using anti-malware technology that inspects application behavior rather than relying on file inspection.

"To stay ahead of advanced attacks we need an approach that uses on-device execution inspection to detect anomalies and malicious behaviors like traffic re-routing, browser plug-ins (and) RAT capabilities, in real time," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 8:11:05 AM
More user awareness about phishing and social engineering
Interesting (and not surprising) that experts recommend increased user awareness training about phishing attacks. That conforms to our current poll on social engineering where we ask Dark Reading community members what is the most dangerous social engineering threat to organizations. Results so far: "Employees aren't  aware of it (56% of respondents) and phishing emails (26%). If you haven't yet weighed in on the poll, you can scroll to the right column on your computer screen, or go to http://www.darkreading.com/editorial-poll/hacking-humans/d/d-id/1307012.
User Rank: Ninja
9/10/2014 | 10:50:01 AM
Re: More user awareness about phishing and social engineering
End user awareness of risk associated with IT systems is likely the largest weakness in the war against cybercrime.

The following list hopefully illustrates my point.  It is based upon the incidents I have had to remediate within the last 6 months.  Not in any order.
  • Users that click on any url link thrown at them on any web page or email.
  • Users that open attachments because they look interesting (shiny!!).
  • Users that are managers that feel that security funding is optional.
  • Users that are project managers that fail to integrate security into the project plan.
  • Users that believe that hacking only happens to the other guy.
  • Users that use the same password on all their accounts.
  • Users that use "Passw0rd" as their password...  or similar situation.
  • Users that accept a phone call and believe the caller is a technician from vendor X that is calling to help them with a problem they have detected on the users workstation.
  • Users that decide that playing online games at work is ok.
  • Users that feel they need to be able to install any software whenever they feel it is useful or necessary.
  • Users that consider corporate network web filtering a form of "big brother".
  • Users that believe they have a right to listen to music on their office workstation.
  • Users that believe they have a right to have a CD/DVD drive on their workstation.
  • Users that decide to send regulatory data to anyone that emails them for information.
  • Users that feel they need administrative control of the servers they use for work because they are the system owner (not the system administrative role).
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
  • Users that think vendor platform X is more secure that vendor platform Y because [insert unsubstantiated reason here].
  • Users that believe they know everything about IT security.  (I'm a IT security pro with 15+ years experience and even I cannot honestly make that claim).

I'm sure some of you out there could add a few more items.

I like to joke that end users are my #1 reason for my job security. 
But I am honestly and forever disenchanted by the fact that a large number of end users are just not on the right track when it comes to IT security.  I fully understand there is a lot to know.  Every day I need to review and revisit concepts to make sure I am on top of the latest developments.  But I believe everyone needs to become more cautious and aware of what bad-ness is out there.

With all security, it only takes one weakness to allow for a compromise.

I will keep fighting the good fight, with the simple hope that somewhere I am helping make a difference.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/10/2014 | 11:26:38 AM
Re: More user awareness about phishing and social engineering
Keep fighting the good fight aws0513! I find this one the most remarkable:
  • CIOs that believe they should have administrative rights to all systems under their perview. (This one turned out to be the cause of a major spear phishing compromise I had to help remediate).
User Rank: Ninja
9/10/2014 | 11:31:37 AM
I bet you meant "now"
"For now, it is recommending that customers not confirm that their anti-malware solutions can detect Dyre."


I'll bet you meant to say customers should check to see if the malware is caught by their anti-virus solution.  At least that is what the email said to us.

I find it refreshing that Salesforce took the time to contact it's customers even though the attack has nothing to do with their infrastructure.

We need more proactive measures like this to help us combat the ever more co-ordinated attacks we face in todays world.

User Rank: Ninja
9/10/2014 | 12:20:50 PM
Re: More user awareness about phishing and social engineering
I do not mean to hammer on CIOs, but what about the CIOs who believe that "all things IT" should belong to them, including security? Do they not realize the inherent conflict of interest in that line of thinking? Unless those CIOs are credentialed or experienced security professionals, they do not possess enough security knowledge or expertise to manage security. Most of them are really engaged in empire building, so that they alone control resources for "all things IT". I believe this is how Target was structured when they were breached, and in spite of that incident, continue to be structured in that way; dare I say, "the old fashioned way". IMHO, this shows a lack of vision by sticking to a strategy that is no longer relevant or effective in today's threat landscape. This very topic was discussed in a Dark Reading Radio discussion a short time back and clearly, the participants were mostly against that strategy (I actually do not recall that anyone was for it).
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.