Attacks/Breaches
2/19/2014
01:34 PM
50%
50%

New Zeus Variant Targets Salesforce.com

New attack shows the adaptability of Zeus and the challenges of policing an ever-expanding network perimeter

As the saying goes, the one constant in life is change. In the world of cybersecurity, few pieces of malware symbolize this more than Zeus.

Best known as a banking Trojan, a recently discovered attack shows that Zeus has turned a new page. Instead of going after banking credentials, this new version is focused on software-as-a-service (SaaS) applications. According to SaaS security vendor Adallom, the malware was targeting user credentials for Salesforce.com in what appears to be a targeted attack that began on a computer in an employee's home.

The situation was uncovered a few weeks ago when an alert was triggered for an Adallom customer's Salesforce.com instance after a single user performed hundreds of view operations in a short period of time. The subsequent investigation revealed that the behavior was traced to a home computer running Windows XP and an old version of Internet Explorer. The employee had been using the computer to catch up on work during off-hours.

A malware scan uncovered a Zeus variant configured to detect Salesforce.com authenticated sessions instead of banking sites. The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls," says Ami Luttwak, co-founder and CTO of Adallom. "This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name."

"This version of Zeus seems hardcoded for this specific attack; we didn't yet see configuration pack circling around for Salesforce in general," he says. "However, the configuration itself is trivial --- the adaptability of Zeus and frankly any other Zeus variant to these scenarios is frightening, all existing Zeus bots can be turned against SaaS apps in a simple matter of a configuration change. In fact, the security of banking sites is years ahead of SaaS applications so makes them much easier prey."

So far, it is not known how the computer was initially infected. But the fact that the computer was not a corporate device underscores the challenges organizations are facing in the age of bring-your-own-device and an extended perimeter.

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD," says Luttwak. "The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications."

"The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities," he adds.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.