Attacks/Breaches
2/19/2014
01:34 PM
Connect Directly
RSS
E-Mail
50%
50%

New Zeus Variant Targets Salesforce.com

New attack shows the adaptability of Zeus and the challenges of policing an ever-expanding network perimeter

As the saying goes, the one constant in life is change. In the world of cybersecurity, few pieces of malware symbolize this more than Zeus.

Best known as a banking Trojan, a recently discovered attack shows that Zeus has turned a new page. Instead of going after banking credentials, this new version is focused on software-as-a-service (SaaS) applications. According to SaaS security vendor Adallom, the malware was targeting user credentials for Salesforce.com in what appears to be a targeted attack that began on a computer in an employee's home.

The situation was uncovered a few weeks ago when an alert was triggered for an Adallom customer's Salesforce.com instance after a single user performed hundreds of view operations in a short period of time. The subsequent investigation revealed that the behavior was traced to a home computer running Windows XP and an old version of Internet Explorer. The employee had been using the computer to catch up on work during off-hours.

A malware scan uncovered a Zeus variant configured to detect Salesforce.com authenticated sessions instead of banking sites. The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls," says Ami Luttwak, co-founder and CTO of Adallom. "This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name."

"This version of Zeus seems hardcoded for this specific attack; we didn't yet see configuration pack circling around for Salesforce in general," he says. "However, the configuration itself is trivial --- the adaptability of Zeus and frankly any other Zeus variant to these scenarios is frightening, all existing Zeus bots can be turned against SaaS apps in a simple matter of a configuration change. In fact, the security of banking sites is years ahead of SaaS applications so makes them much easier prey."

So far, it is not known how the computer was initially infected. But the fact that the computer was not a corporate device underscores the challenges organizations are facing in the age of bring-your-own-device and an extended perimeter.

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD," says Luttwak. "The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications."

"The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities," he adds.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.