A powerful new strain of malware called Dyre (or Dyreza) not only poses a serious threat to consumers and businesses, it also signifies the cloud has arrived. Dyre not only uses the cloud as a vector for distributing malware to client machines, once installed it attempts to compromise data sent to secured cloud services. Researchers analyzing Dyre have found that while it is similar to Zeus Trojans, Dyre is a new malware family distinct from previous Trojans. What makes Dyre so dangerous is that it tricks users into believing they are visiting a trusted SSL-secured site, but their information is being intercepted and sent to attackers, including login credentials and other sensitive data.
Attackers deliver Dyre file sharing service like Dropbox or Cubby and target data sent to online banking sites and secure enterprise cloud services. With the average company using 24 file sharing services, and 34.4% of companies using Cubby, one of the main delivering methods for Dyre, companies are at risk of their users falling victim to this novel malware attack. Skyhigh is tracking the spread of Dyre and played a central role in detecting delivery of the malware via file sharing applications and mitigating the compromise of cloud providers for our customers. While early reports focused on banking sites as targets, enterprise cloud providers such as Salesforce.com are also targets.
How Dyre Works
Like other Trojans (and like the original wooden Trojan Horse), Dyre is a malicious program that attackers dupe unsuspecting users into downloading and installing on their computers by disguising it as something helpful. In this case, attackers send spear phishing emails impersonating a trusted source and include a link to an invoice or IRS tax document stored on familiar file sharing services like Dropbox and Cubby. Users naturally click the link to view the file because they want to know why their tax refund was returned by their bank, as one email obtained by PhishMe claims. When the user clicks the link, a zip file containing the malware is opened on their computer and an executable installs Dyre.
Once installed, Dyre uses HTTP to establish contact with its command and control site. It minitors all browser activity and relays it to command and control, specifically looking for online banking sites and cloud providers. When a user visits a target site or cloud service, Dyre compromises SSL, making it possible to send unencrypted data to a man-in-the middle Dyre server while the user still has all indications their session is encrypted and protected with SSL. With this access, the attackers controlling the Dyre server can capture login credentials and sensitive data passed between the user and website or cloud service.
Enterprises at Risk, Not Just Consumers
Perhaps due to their centralized repositories of sensitive employee and customer data such as banking information and social security numbers, enterprises are a prime target for crime-as-a-service attacks like Dyre that aim to sell information to third parties for a profit. Companies in particular are at increased risk due to unchecked use of file sharing services (the delivery vector), and their increasing use of cloud-based applications that deliver reduced cost and faster time to market, but also mean that sensitive data is stored outside the firewall. Even if companies wanted to block unapproved file sharing services they would not be well equipped to do so. File sharing services like Cubby are not categorized effectively by firewalls and proxies 42.8% of the time.
How Companies Can Protect Themselves
Since Dyre is densely packed and obfuscated, only half of traditional antivirus solutions detect it on an infected computer. Companies should push updates to client machines to update antivirus definitions and also take these proactive steps to prevent exposure to future variants of Dyre which no doubt will appear in the coming months and years:
- Ensure file sharing access policies are being enforced by updating access policies on firewalls and proxies to block unapproved file sharing apps
- Track all files downloaded from Cubby and other file sharing sites, looking for invoices and other suspicious patterns
- Detect traffic to known command and control sites using the IP addresses associated with Dyre
- Implement an anomaly detection service that identifies unusual access patterns indicating a compromised account
Additionally, Skyhigh customers can view anomaly events that can indicate a compromised account. The machine learned detection of anomalies covers many attributes including content, location, device, access patterns, time of day, etc., for every user. To view compromised accounts:
- Login to the Skyhigh dashboard
- Select Anomalies Overview from the Analyze menu
- Use the Anomaly type filter on the left to select anomaly
- Use the Service type filter on the left to view services vulnerable to Dyre
- Use the Service, Time/Date, and User/IP Address to investigate
Salesforce was one of the cloud providers potentially compromised by Dyre. While Salesforce recommends several steps including implementing IP whitelisting and multi-factor authentication, Skyhigh customers can also enforce access policies to limit access only to registered devices. Follow these steps:
- Login to the Skyhigh dashboard
- Select Service Management from the Secure menu
- Select Mobile Access Settings under Salesforce.com
- Add a policy based on OS Type, and all OS Versions to Register device
- Click Save Device Access Settings to apply policy