Dyre Straits: Why This Cloud Attack's Different - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
12:10 PM
Kaushik Narayan
Kaushik Narayan

Dyre Straits: Why This Cloud Attack's Different

Dyre is a new breed of Trojan, attacking cloud apps and using the cloud as a delivery vehicle.

 Apple's Next Chapter: 10 Key Issues
Apple's Next Chapter: 10 Key Issues
(Click image for larger view and slideshow.)

The cloud has officially arrived. You can tell by all the recent data security attacks on cloud apps.

Hot on the heels of the iCloud breach that exposed many personal photos of celebrities, a new Trojan called Dyre (or Dyreza) has appeared, attacking trusted business-class cloud software, including Salesforce.com. Dyre not only uses the cloud as a way to install malware on a user's computer, but once it's on your computer the malware scans for passwords and data uploaded to secure cloud services.

Researchers consider Dyre a new family of malware, different from previous Trojans. Like other Trojans, attackers attempt to trick users into downloading and installing Dyre on their computers by disguising the download as something useful and then quietly stealing data from unsuspecting users. But the way it attacks users is novel: It uses browser hooks to acquire data protected by SSL. It's part of a new generation of crime-as-a-service malware developed by criminal organizations to extract user information so they can sell it to the highest bidder.

Companies are attractive targets for attackers because they store vast amounts of employee and customer data. Today, even the largest enterprises rely on cloud services for business-critical functions, and that sensitive data is increasingly stored in centralized locations in the cloud rather than behind the company's firewall. That makes these cloud services prime targets for attackers, which is why, in addition to targeting online banking sites as has been widely reported, Dyre also targets Salesforce.com, one of the most successful and most trusted cloud services used by businesses.

[Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.]

Dyre's method of attack even uses the cloud, relying on popular file-sharing services for distribution. Skyhigh Networks (the cloud security company where I'm CTO and co-founder) tracks the top cloud services and found the average company uses 24 file-sharing services, meaning there are many potential vectors for Dyre to enter the enterprise and infect unsuspecting users.

How Dyre works
First, a user receives an email containing a link to a file hosted on a file-sharing service like Dropbox or Cubby. The user opens the link because the email says it contains an overdue invoice, say, or an explanation for why his IRS tax return was not transferred to his bank. In other words, Dyre is delivered via a classic spear-phishing email, but it uses a novel way of storing the malware on trusted cloud services used by consumers. Once the user opens the link, the file is downloaded, unzipped, and Dyre installs on the computer. After phoning home to a command-and-control site, Dyre quietly monitors all browser activity, waiting for certain sites or cloud apps to be accessed.

What makes Dyre particularly dangerous is that when a user visits a target site, say, Bank of America or Salesforce.com, that session is encrypted via SSL, and those sites have all the indications that the browser session is secure. However, Dyre uses browser-hooking to infiltrate and view data before it is protected by SSL. This way the malware not only gains access to the data users transfer to or from a cloud service, but also to their login credentials, which the attackers can sell for a profit. Considering the type of sensitive data companies store in the cloud today, a compromised account could expose Social Security numbers, bank account information, protected health information, intellectual property, and more.

Protecting your company from this new generation of malware will require a multi-layered approach including firewalls, proxies, antivirus, and security features from cloud providers that customers don't always use.

Don't expect cloud providers to take the initiative -- or even take responsibility -- for securing data. Many of their terms and conditions place the burden directly on the customer. That means

Next Page

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
D. Henschen
D. Henschen,
User Rank: Author
9/12/2014 | 3:06:37 PM
Salesforce.com Customers: Heed This Advice
Beyond making sure all employees have up-to-date anit-virus software, the key advice from this article for SFDC customers:

Salesforce offers... a powerful multi-factor authentication feature, which is offered by just 16% of cloud providers. When you have multi-factor authentication turned on, the first time a user accesses Salesforce.com from a computer using his username and password, he receives an SMS message with a code he must enter to gain access. This extra step makes it more difficult for attackers with stolen credentials to gain access since hackers typically don't also have access to the cellphone of the person whose login credentials they stole. Another tool available to Salesforce.com customers is IP whitelisting, which enables you to allow access only from IP addresses on your corporate network. This is also an option for companies whose remote users have VPN access.


InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll