Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/19/2014
01:34 PM
50%
50%

New Zeus Variant Targets Salesforce.com

New attack shows the adaptability of Zeus and the challenges of policing an ever-expanding network perimeter

As the saying goes, the one constant in life is change. In the world of cybersecurity, few pieces of malware symbolize this more than Zeus.

Best known as a banking Trojan, a recently discovered attack shows that Zeus has turned a new page. Instead of going after banking credentials, this new version is focused on software-as-a-service (SaaS) applications. According to SaaS security vendor Adallom, the malware was targeting user credentials for Salesforce.com in what appears to be a targeted attack that began on a computer in an employee's home.

The situation was uncovered a few weeks ago when an alert was triggered for an Adallom customer's Salesforce.com instance after a single user performed hundreds of view operations in a short period of time. The subsequent investigation revealed that the behavior was traced to a home computer running Windows XP and an old version of Internet Explorer. The employee had been using the computer to catch up on work during off-hours.

A malware scan uncovered a Zeus variant configured to detect Salesforce.com authenticated sessions instead of banking sites. The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls," says Ami Luttwak, co-founder and CTO of Adallom. "This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name."

"This version of Zeus seems hardcoded for this specific attack; we didn't yet see configuration pack circling around for Salesforce in general," he says. "However, the configuration itself is trivial --- the adaptability of Zeus and frankly any other Zeus variant to these scenarios is frightening, all existing Zeus bots can be turned against SaaS apps in a simple matter of a configuration change. In fact, the security of banking sites is years ahead of SaaS applications so makes them much easier prey."

So far, it is not known how the computer was initially infected. But the fact that the computer was not a corporate device underscores the challenges organizations are facing in the age of bring-your-own-device and an extended perimeter.

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD," says Luttwak. "The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications."

"The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities," he adds.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8344
PUBLISHED: 2020-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-8347
PUBLISHED: 2020-09-24
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
CVE-2020-8348
PUBLISHED: 2020-09-24
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
CVE-2020-15850
PUBLISHED: 2020-09-24
Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value i...
CVE-2020-15851
PUBLISHED: 2020-09-24
Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories.