Financial Services Firms Shellshocked, Under Dyre Attack in 2015

IBM X-Force issues a new report showing that financial services firms were at great risk from Shellshock and the Dyre banking Trojan, though in 2016 the risks are likely to change.


Hackers going after banks is not a new trend, but according to a new report from the IBM, financial services attackers are using different tools and tactics to steal information and money.

The IBM X-Force research found that in 2015, the average cost for a breached financial record was $215, with approximately 20 million financial records breached in the year. Of particular note in IBM's research is the finding that in 2015, attackers made extensive use of the Shellshock vulnerability to attack banks. The Shellshock vulnerability was first disclosed in September 2014 and is a flaw in the open-source Bash shell.

David McMillen, senior threat researcher for IBM Managed Security Services, said the fact that Shellshock was a top attack vector was a huge surprise. "We have seen many vulnerabilities exploited, but none quite as robustly and for as long a period in time," McMillen told eWEEK. "Taking Shellshock out of the mix, we are left with a completely expected volume of attacks from malicious attachments or links, which almost matched Shellshock volumes exactly."

In terms of how Shellshock is being used by attackers, McMillen said IBM Managed Security Services has detected many delivery mechanisms for the vulnerability, including Metasploit. Metasploit is an open-source penetration testing framework that is used by security researchers and sometimes abused by attackers to exploit software vulnerabilities.

"The vast majority of Shellshock traffic that was detected in 2015 contained exploit strings to bulk test Internet-facing hosts for the core Shellshock vulnerability using exploitation vectors that were explicitly tailored to affect OpenSSH, CGI Web and Qmail," he said. "Many of the tools used to exploit Shellshock were homegrown, other than mainstream tools like Metasploit."

Dyre Malware on the Rise

Another key trend that IBM observed during 2015 was the rise of Dyre malware as the top banking Trojan in use during the year, at 24 percent of attacks, surpassing the Zeus v2 banking Trojan, which represented 13 percent of attacks. Dyre's rise to prominence in 2015 was a reversal of its status in 2014. In 2014, IBM's research found that Zeus v2 represented 36 percent of Trojan attacks, while Dyre was responsible for only 5 percent.

There are major differences between Dyre and Zeus, according to Limor Kessem, a researcher at IBM Security.

"Zeus was a commercial offering that was operated by many different criminals and small factions at a time when organized cybercrime was more of a rare phenomenon," Kessem told eWEEK.

She added that Zeus was, and still is, one of the best Trojans out in the wild. That said, in technical terms, or the effectiveness of their fraud capabilities, Zeus and Dyre are not all that different.

"What makes Dyre special is its strong software development team, which kept it elusive and effective through its nefarious activities, meticulous organization and what appear to be well-connected bosses that managed to orchestrate unprecedented attack campaigns like Dyre Wolf," Kessem said. "Those factors made Dyre more effective in robbing much more money, and much faster, than any sole Zeus operator/faction ever did within the same time frame."

The Dyre Wolf campaign was reported by multiple security firms in May 2015 as a high-impact attack on financial services firms.

While Dyre was successful through most of 2015, its reign of terror might now be at an end, as the Russian government took action at the end of 2015 to disrupt Dyre operations. Kessem said that IBM X-Force research indicates that Dyre did indeed fall silent in November 2015.

"According to our IBM Trusteer data, malware infection rates dropped sharply around Nov. 18, with new user infections appearing in the single digits per day at most," Kessem said. "It has been close to three months now since Dyre went silent, and our data does not show any significant activity appearing as of late."

Dyre isn't the only threat that started to drop off last November—the risk from Shellshock is in decline as well. Looking forward to the threat landscape of 2016, McMillen expects that the Shellshock threat that was very loud in 2015 should fall back significantly, due in large part to the massive press it received, which resulted in a major patching initiative for most enterprise network administrators.

"As was seen with SQL Slammer, Shellshock attacks are expected to be visible for many months to come as unpatched targets will certainly remain, although the volume will fall to background noise, which has already started as of November 2015," he said.

While the big threats of 2016 are just now emerging, IBM has a few recommendations to help financial services organizations protect themselves from cyber-threat risks. McMillen suggests that the top two things that financial companies should do to protect against evolving threats are employee training and vulnerability mitigation.

"Develop a training program that educates employees about the dangers of phishing as well as deploying anti-phishing controls at the mail gateway," he said. "Additionally, ensure your IT teams have a very aggressive vulnerability mitigation program that allows management of patches across multiple operating systems that includes implementation of real-time monitoring and reporting.

"Both of these elements are the root entry points of the attack landscape we see today," McMillen added.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.