Incident Response, Malware, TDR

Salesforce warns of Dyre malware possibly targeting users

Customer relationship management software provider Salesforce has posted a notification on its website stating that, on Sept. 3, a security partner had identified Dyre malware – also known as Dyreza – possibly being used to target Salesforce users.

Initially discovered in June as what appeared to be a previously undocumented malware strain, researchers quickly learned that Dyre was primarily being used to steal banking credentials from specific financial institutions, including Bank of America and Citigroup.

Now Dyre could be going after Salesforce credentials, possibly to enable theft of databases or to further spread the malware through a known source, Tomer Weingarten, CEO of SentinelOne, told on Monday, adding that Dyre can be repurposed to go after any type of credentials.

Salesforce is investigating, but indicated in the alert that it has no evidence that any of its users have actually been compromised by the threat. The company added that it would reach out and work with any customer who may become infected with the malware.

The notification does specify how Salesforce users are possibly being targeted, but Weingarten said that Dyre had previously been spread through phishing emails and speculated that the same method is being used in this instance.

“Try not to open anything that is remotely suspicious,” Weingarten said, explaining that the attackers could be crafting emails using a Salesforce template with Dyre uploaded as an attachment. Attackers could also use exploit kits, he added.

Salesforce suggests ensuring that anti-virus solutions are updated to detect Dyre, according to the notification. Other recommendations include using security capabilities of the Salesforce platform, such as allowing user access only from the corporate network or a VPN, and using SMS identity confirmation for when logging in from an unknown source.

After identifying Dyre as part of a phishing scheme in June, Ronnie Tokazowski, a senior researcher with PhishMe, told that the malware monitors network traffic and bypasses SSL mechanisms in browsers, as well as surreptitiously modifies network traffic and redirects users back to legitimate sites. He added that Dyre uses “browser hooking” in order to steal submitted login data just prior to the information being encrypted.

When reached out to for further comment, a Salesforce spokesperson referred to the notification.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.