12:10 PM
Kaushik Narayan
Kaushik Narayan

Dyre Straits: Why This Cloud Attack's Different

Dyre is a new breed of Trojan, attacking cloud apps and using the cloud as a delivery vehicle.

 Apple's Next Chapter: 10 Key Issues
Apple's Next Chapter: 10 Key Issues
(Click image for larger view and slideshow.)

The cloud has officially arrived. You can tell by all the recent data security attacks on cloud apps.

Hot on the heels of the iCloud breach that exposed many personal photos of celebrities, a new Trojan called Dyre (or Dyreza) has appeared, attacking trusted business-class cloud software, including Dyre not only uses the cloud as a way to install malware on a user's computer, but once it's on your computer the malware scans for passwords and data uploaded to secure cloud services.

Researchers consider Dyre a new family of malware, different from previous Trojans. Like other Trojans, attackers attempt to trick users into downloading and installing Dyre on their computers by disguising the download as something useful and then quietly stealing data from unsuspecting users. But the way it attacks users is novel: It uses browser hooks to acquire data protected by SSL. It's part of a new generation of crime-as-a-service malware developed by criminal organizations to extract user information so they can sell it to the highest bidder.

Companies are attractive targets for attackers because they store vast amounts of employee and customer data. Today, even the largest enterprises rely on cloud services for business-critical functions, and that sensitive data is increasingly stored in centralized locations in the cloud rather than behind the company's firewall. That makes these cloud services prime targets for attackers, which is why, in addition to targeting online banking sites as has been widely reported, Dyre also targets, one of the most successful and most trusted cloud services used by businesses.

[Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.]

Dyre's method of attack even uses the cloud, relying on popular file-sharing services for distribution. Skyhigh Networks (the cloud security company where I'm CTO and co-founder) tracks the top cloud services and found the average company uses 24 file-sharing services, meaning there are many potential vectors for Dyre to enter the enterprise and infect unsuspecting users.

How Dyre works
First, a user receives an email containing a link to a file hosted on a file-sharing service like Dropbox or Cubby. The user opens the link because the email says it contains an overdue invoice, say, or an explanation for why his IRS tax return was not transferred to his bank. In other words, Dyre is delivered via a classic spear-phishing email, but it uses a novel way of storing the malware on trusted cloud services used by consumers. Once the user opens the link, the file is downloaded, unzipped, and Dyre installs on the computer. After phoning home to a command-and-control site, Dyre quietly monitors all browser activity, waiting for certain sites or cloud apps to be accessed.

What makes Dyre particularly dangerous is that when a user visits a target site, say, Bank of America or, that session is encrypted via SSL, and those sites have all the indications that the browser session is secure. However, Dyre uses browser-hooking to infiltrate and view data before it is protected by SSL. This way the malware not only gains access to the data users transfer to or from a cloud service, but also to their login credentials, which the attackers can sell for a profit. Considering the type of sensitive data companies store in the cloud today, a compromised account could expose Social Security numbers, bank account information, protected health information, intellectual property, and more.

Protecting your company from this new generation of malware will require a multi-layered approach including firewalls, proxies, antivirus, and security features from cloud providers that customers don't always use.

Don't expect cloud providers to take the initiative -- or even take responsibility -- for securing data. Many of their terms and conditions place the burden directly on the customer. That means

Next Page

first selecting cloud providers that meet your data security and governance requirements and blocking access to the riskiest services that do not meet minimum standards to prevent corporate data from being uploaded to shadow IT cloud services.

This step is not enough. File-sharing services, the main vector for distributing Dyre, are categorized correctly by only 43% of web proxies and firewalls, making it difficult to block them at the network level. Robust security education and awareness are crucial to deter employees from downloading apps that can't be blocked effectively, and also to promote less-risky apps that could have value for the company if used properly.

Dyre is densely packaged and obfuscated, making detection by antivirus software difficult. At the time of this writing, only half of antivirus software systems are able to detect Dyre on client computers. Your company should ensure that antivirus software on employee machines is configured to update virus definitions periodically to offer some level of protection against the current version of Dyre as well as future variants that will likely emerge in the coming months and years.

Protecting essential SaaS apps
So far I've discussed traditional approaches to security on premises, but let's also cover some security steps companies can take to make cloud applications like Salesforce as secure as possible.

Salesforce is one of the most secure cloud platforms in the world, offering a wide range of security features not employed by all cloud providers. One of the most powerful is multi-factor authentication, which is offered by just 16% of cloud providers. When you have multi-factor authentication turned on, the first time a user accesses from a computer using his username and password, he receives an SMS message with a code he must enter to gain access. This extra step makes it more difficult for attackers with stolen credentials to gain access since hackers typically don't also have access to the cellphone of the person whose login credentials they stole. Another tool available to customers is IP whitelisting, which enables you to allow access only from IP addresses on your corporate network. This is also an option for companies whose remote users have VPN access.

Given the success of Dyre, we can expect to see new variants emerge in the same way the Zeus Trojan continued to harm companies for years after it was released into the wild. It's also clear the cloud is here to stay, and we'll likely see more attacks using the cloud as a vector for delivering malware, and with secure cloud services like as targets of attackers.

If there's a bright side to this incident, it's that cloud services are providing value, as evidenced by companies relying on them for business-critical functions and data. Unfortunately, attackers always go where the data is. However, using a multi-layered approach, companies can significantly decrease their exposure to attacks on cloud data.

Cloud Connect (Sept. 29 to Oct. 2, 2014) brings its "cloud-as-business-enabler" programming to Interop New York for the first time in 2014. The two-day Cloud Connect Summit will give Interop attendees an intensive immersion in how to leverage the cloud to drive innovation and growth for their business. In addition to the Summit, Interop will feature five cloud workshops programmed by Cloud Connect. The Interop Expo will also feature a Cloud Connect Zone showcasing cloud companies' technology solutions. Register with Discount Code MPIWK or $200 off Total Access or Cloud Connect Summit Passes.

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2019 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service