Attacks/Breaches
2/19/2014
01:34 PM
Connect Directly
RSS
E-Mail
50%
50%

New Zeus Variant Targets Salesforce.com

New attack shows the adaptability of Zeus and the challenges of policing an ever-expanding network perimeter

As the saying goes, the one constant in life is change. In the world of cybersecurity, few pieces of malware symbolize this more than Zeus.

Best known as a banking Trojan, a recently discovered attack shows that Zeus has turned a new page. Instead of going after banking credentials, this new version is focused on software-as-a-service (SaaS) applications. According to SaaS security vendor Adallom, the malware was targeting user credentials for Salesforce.com in what appears to be a targeted attack that began on a computer in an employee's home.

The situation was uncovered a few weeks ago when an alert was triggered for an Adallom customer's Salesforce.com instance after a single user performed hundreds of view operations in a short period of time. The subsequent investigation revealed that the behavior was traced to a home computer running Windows XP and an old version of Internet Explorer. The employee had been using the computer to catch up on work during off-hours.

A malware scan uncovered a Zeus variant configured to detect Salesforce.com authenticated sessions instead of banking sites. The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls," says Ami Luttwak, co-founder and CTO of Adallom. "This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name."

"This version of Zeus seems hardcoded for this specific attack; we didn't yet see configuration pack circling around for Salesforce in general," he says. "However, the configuration itself is trivial --- the adaptability of Zeus and frankly any other Zeus variant to these scenarios is frightening, all existing Zeus bots can be turned against SaaS apps in a simple matter of a configuration change. In fact, the security of banking sites is years ahead of SaaS applications so makes them much easier prey."

So far, it is not known how the computer was initially infected. But the fact that the computer was not a corporate device underscores the challenges organizations are facing in the age of bring-your-own-device and an extended perimeter.

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD," says Luttwak. "The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications."

"The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities," he adds.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.