Salesforce recently announced that the Dyreza malware (aka Dyre) may pose a risk for its customers. This particular malware strain has been seen targeting banks and falls into a class of man-in-the-middle trojans. Targeting Salesforce is new behavior for this malware, but there is no reason why it could not be readily adapted to target Salesforce or any other SaaS application for that matter.
The idea behind Dyreza is not new by any stretch of the imagination. For example, the Zeus family of malware has been used to engage in similar compromises on banks and other financial institutions. That said, Dyreza does not seem to be a derivative work of Zeus; instead it appears to be an entirely new creation.
The malware will typically infect a system via straightforward social engineering mechanisms. For example, a victim will receive an email containing a hyperlink with messaging that entices the victim to click on it. Upon doing so, the victim is presented with the Dyreza malware for download.
Once installed on the system, the Dyreza malware will, among other things, employ a technique known as browser hooking. Browser hooking allows Dyreza to intercept content entered by the user into the web browser before that content is transmitted over the network to a web site — and specifically browser hooking allows this interception to occurbefore the data is encrypted.
More so, Dyreza will siphon the victim’s traffic to a special server it controls rather than to the actual SaaS service, like Salesforce, with whom the user thought he was communicating. At this point, the attacker will have access to the victim’s credentials — e.g., their username, password and also any additional two-factor authentication token values. The attacker can leverage this information to impersonate a user and fraudulently access their account for Salesforce or other SaaS services targeted by Dyreza.
So far, none of Elastica’s customers appears to have been impacted by this threat, but we are monitoring the situation closely. Elastica’s Detect, Protect, and Investigateapplications all can provide protection capabilities against Dyreza and similar malware. In particular, Detect can pinpoint account impersonation and misuse through anomaly detection and malware identification techniques, which will raise the user’s risk score. Through Elastica’s Protect application, fraudulent users can have their access be automatically blocked. Finally, because Elastica’s Investigate application provides detailed log information regarding how users interact with SaaS applications, it can be used to unearth any suspicious behavior, like the user connecting to Salesforce or any other SaaS application through some unconventional means (e.g., from a geographic location that is outside the user’s typical region).
Salesforce also offers additional mechanisms for mitigating the risk associated with this attack. For example, administrators can put IP address restrictions in place so that Salesforce only accepts connections that originate from within a corporate network or via your company’s virtual private network (VPN).
This measure would thwart the Dyreza attack since the attackers will not be permitted to communicate with Salesforce from their own servers. Salesforce also enables similar restrictions through SAML-based authentication as well. Additional information on Salesforce’s security http://www.trust.salesforce.com/trust/practices/
It is also important to note that two-factor authentication, while generally desirable, may not be sufficient for stopping Dyreza. In particular, all of the victim’s traffic is siphoned off to Dyreza’s servers, including two-factor authentication token values. Through standard automation techniques, these token values can be exploited by the attackers in real time. Therefore, it continues to be important for Elastica’s customers to be vigilant about potential compromises.