Dyre Straits: Millions of Cloud Users Vulnerable to New Trojan

A powerful new strain of malware called Dyre (or Dyreza) not only poses a seriousthreat to consumers and businesses, it also signifies the cloud has arrived. Dyre notonly uses the cloud as a vector for distributing malware to client machines, onceinstalled it attempts to compromise data sent to secured cloud services. Researchersanalyzing Dyre have found that while it is similar to Zeus Trojans, Dyre is a newmalware family distinct from previous Trojans. What makes Dyre so dangerous is thatit tricks users into believing they are visiting a trusted SSL-secured site, but theirinformation is being intercepted and sent to attackers, including login credentials andother sensitive data.

Attackers deliver Dyre file sharing service like Dropbox or Cubby and target data sentto online banking sites and secure enterprise cloud services. With the averagecompany using 24 file sharing services, and 34.4% of companies using Cubby, one ofthe main delivering methods for Dyre, companies are at risk of their users fallingvictim to this novel malware attack. Skyhigh is tracking the spread of Dyre andplayed a central role in detecting delivery of the malware via file sharing applicationsand mitigating the compromise of cloud providers for our customers. While earlyreports focused on banking sites as targets, enterprise Cloud Security providers suchas Salesforce.com are also targets.

How Dyre Works

Like other Trojans (and like the original wooden Trojan Horse), Dyre is a maliciousprogram that attackers dupe unsuspecting users into downloading and installing ontheir computers by disguising it as something helpful. In this case, attackers sendspear phishing emails impersonating a trusted source and include a link to an invoiceor IRS tax document stored on familiar file sharing services like Dropbox and Cubby.Users naturally click the link to view the file because they want to know why their taxrefund was returned by their bank, as one email obtained by PhishMe claims. Whenthe user clicks the link, a zip file containing the malware is opened on their computerand an executable installs Dyre.

Once installed, Dyre uses HTTP to establish contact with its command and controlsite. It minitors all browser activity and relays it to command and control, specificallylooking for online banking sites and cloud providers. When a user visits a target site

or cloud service, Dyre compromises SSL, making it possible to send unencrypted datato a man-in-the middle Dyre server while the user still has all indications their sessionis encrypted and protected with SSL. With this access, the attackers controlling theDyre server can capture login credentials and sensitive data passed between the userand website or cloud service.

Enterprises at Risk, Not Just Consumers

Perhaps due to their centralized repositories of sensitive employee and customer datasuch as banking information and social security numbers, enterprises are a primetarget for crime-as-a-service attacks like Dyre that aim to sell information to thirdparties for a profit. Companies in particular are at increased risk due to unchecked useof file sharing services (the delivery vector), and their increasing use of cloud-basedapplications that deliver reduced cost and faster time to market, but also mean thatsensitive data is stored outside the firewall. Even if companies wanted to blockunapproved file sharing services they would not be well equipped to do so. Filesharing services like Cubby are not categorized effectively by firewalls and proxies42.8% of the time.

How Companies Can Protect Themselves

Since Dyre is densely packed and obfuscated, only half of traditional antivirussolutions detect it on an infected computer. Companies should push updates to clientmachines to update antivirus definitions and also take these proactive steps to preventexposure to future variants of Dyre which no doubt will appear in the coming monthsand years:

Ensure file sharing access policies are being enforced by updating accesspolicies on firewalls and proxies to block unapproved file sharing apps Track all files downloaded from Cubby and other file sharing sites, looking forinvoices and other suspicious patterns Detect traffic to known command and control sites using the IP addressesassociated with Dyre Implement an anomaly detection service that identifies unusual access patternsindicating a compromised account

Additionally, Skyhigh customers can view anomaly events that can indicate acompromised account. The machine learned detection of anomalies covers manyattributes including content, location, device, access patterns, time of day, etc., forevery user. To view compromised accounts:

1. Login to the Skyhigh dashboard

2. Select Anomalies Overview from the Analyze menu

3. Use the Anomaly type filter on the left to select anomaly

4. Use the Service type filter on the left to view services vulnerable to Dyre

5. Use the Service, Time/Date, and User/IP Address to investigate

Salesforce was one of the cloud security providers potentially compromised by Dyre.While Salesforce recommends several steps including implementing IP whitelistingand multi-factor authentication, Skyhigh customers can also enforce access policies tolimit access only to registered devices. Follow these steps:

1. Login to the Skyhigh dashboard

2. Select Service Management from the Secure menu

3. Select Mobile Access Settings under Salesforce.com

4. Add a policy based on OS Type, and all OS Versions to Register device

Click Save Device Access Settings to apply policy

Author :

Lauren Ellis is a research analyst covering the technology industry’s top trends &topics, focusing on Cloud Security, Cloud Computing, Data Loss Prevention etc.,