Dyre Straits: Why This Cloud Attack's Different - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Software as a Service
Commentary
9/12/2014
12:10 PM
Kaushik Narayan
Kaushik Narayan
Commentary
50%
50%

Dyre Straits: Why This Cloud Attack's Different

Dyre is a new breed of Trojan, attacking cloud apps and using the cloud as a delivery vehicle.

 Apple's Next Chapter: 10 Key Issues
Apple's Next Chapter: 10 Key Issues
(Click image for larger view and slideshow.)

The cloud has officially arrived. You can tell by all the recent data security attacks on cloud apps.

Hot on the heels of the iCloud breach that exposed many personal photos of celebrities, a new Trojan called Dyre (or Dyreza) has appeared, attacking trusted business-class cloud software, including Salesforce.com. Dyre not only uses the cloud as a way to install malware on a user's computer, but once it's on your computer the malware scans for passwords and data uploaded to secure cloud services.

Researchers consider Dyre a new family of malware, different from previous Trojans. Like other Trojans, attackers attempt to trick users into downloading and installing Dyre on their computers by disguising the download as something useful and then quietly stealing data from unsuspecting users. But the way it attacks users is novel: It uses browser hooks to acquire data protected by SSL. It's part of a new generation of crime-as-a-service malware developed by criminal organizations to extract user information so they can sell it to the highest bidder.

Companies are attractive targets for attackers because they store vast amounts of employee and customer data. Today, even the largest enterprises rely on cloud services for business-critical functions, and that sensitive data is increasingly stored in centralized locations in the cloud rather than behind the company's firewall. That makes these cloud services prime targets for attackers, which is why, in addition to targeting online banking sites as has been widely reported, Dyre also targets Salesforce.com, one of the most successful and most trusted cloud services used by businesses.

[Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.]

Dyre's method of attack even uses the cloud, relying on popular file-sharing services for distribution. Skyhigh Networks (the cloud security company where I'm CTO and co-founder) tracks the top cloud services and found the average company uses 24 file-sharing services, meaning there are many potential vectors for Dyre to enter the enterprise and infect unsuspecting users.

How Dyre works
First, a user receives an email containing a link to a file hosted on a file-sharing service like Dropbox or Cubby. The user opens the link because the email says it contains an overdue invoice, say, or an explanation for why his IRS tax return was not transferred to his bank. In other words, Dyre is delivered via a classic spear-phishing email, but it uses a novel way of storing the malware on trusted cloud services used by consumers. Once the user opens the link, the file is downloaded, unzipped, and Dyre installs on the computer. After phoning home to a command-and-control site, Dyre quietly monitors all browser activity, waiting for certain sites or cloud apps to be accessed.

What makes Dyre particularly dangerous is that when a user visits a target site, say, Bank of America or Salesforce.com, that session is encrypted via SSL, and those sites have all the indications that the browser session is secure. However, Dyre uses browser-hooking to infiltrate and view data before it is protected by SSL. This way the malware not only gains access to the data users transfer to or from a cloud service, but also to their login credentials, which the attackers can sell for a profit. Considering the type of sensitive data companies store in the cloud today, a compromised account could expose Social Security numbers, bank account information, protected health information, intellectual property, and more.

Protecting your company from this new generation of malware will require a multi-layered approach including firewalls, proxies, antivirus, and security features from cloud providers that customers don't always use.

Don't expect cloud providers to take the initiative -- or even take responsibility -- for securing data. Many of their terms and conditions place the burden directly on the customer. That means

Next Page

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
9/26/2014 | 12:12:33 AM
Nice insight on cloud vulnerabilities
There is no doubt that cloud computing holds the future of all companies and organizations, but not as long as security issues keep on popping up so consistently. Many companies are actually deferring cloud services due to security concerns. Cloud will continue to grow as more users access their files stored in the cloud through portable devices such as tablets and smartphones. Companies should put up measures such as protecting credentials from being stolen to safeguard against data loss, leakage and account hijacking.
nomii
50%
50%
nomii,
User Rank: Ninja
9/15/2014 | 7:09:26 AM
Re: Salesforce.com Customers: Heed This Advice
This multifactor authentication has already been used by many financial institutions for their web based solutions like internet and mobile banking. It is good to see the feature is being adopted in other industries as well. This idea will be widely accepted by the customer especially after what happened with iCloud.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
9/14/2014 | 1:46:43 PM
Re: Salesforce.com Customers: Heed This Advice
This is exactly why everyone should be using two-factor authentication.

I know its a royal pain to use sometimes, but man is it effective in stopping these "crime as a service" attack vectors. It's not necessarily the answer to every type of attack, but it is a good measure to reduce issues. 
D. Henschen
50%
50%
D. Henschen,
User Rank: Author
9/12/2014 | 3:06:37 PM
Salesforce.com Customers: Heed This Advice
Beyond making sure all employees have up-to-date anit-virus software, the key advice from this article for SFDC customers:

Salesforce offers... a powerful multi-factor authentication feature, which is offered by just 16% of cloud providers. When you have multi-factor authentication turned on, the first time a user accesses Salesforce.com from a computer using his username and password, he receives an SMS message with a code he must enter to gain access. This extra step makes it more difficult for attackers with stolen credentials to gain access since hackers typically don't also have access to the cellphone of the person whose login credentials they stole. Another tool available to Salesforce.com customers is IP whitelisting, which enables you to allow access only from IP addresses on your corporate network. This is also an option for companies whose remote users have VPN access.

 

Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll