Feeds

ZeuS KICKS that SaaS: Trojan raids Salesforce.com accounts

CRM giant's customers take an arrow to the knee... – reports

5 things you didn’t know about cloud backup

Miscreants have forged a variant of the infamous ZeuS banking Trojan that targets enterprise data held by clients of CRM giant Salesforce.com.

The ZeuS variant does not exploit a vulnerability in the Salesforce.com platform itself but rather penetrates the insecure devices of corporate workers accessing Salesforce.com. The attackers wait for the user to connect to *.my.salesforce.com in order to extract company data from the user’s Salesforce instance, according to security researchers at cloud-based security outfit Adallom, which discovered the threat.

"This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated," Ami Luttwak, co-founder and CTO at Adallom explains in a blog post.

The threat was discovered after a single user performed hundreds of Salesforce.com view operations in a short period of time, triggering off alerts at Adallom, a security service provider for the victim's employers. This triggered an investigation. Initially the firm's security team suspected a sales rep was “downloading” their Rolodex by mirroring their Salesforce.com instance to disk. A subsequent investigation revealed a worker's poorly secured and pox-ridden Windows XP home laptop (running an old version of Internet Explorer, and an expired security scanner software) was behind the problem.

The Zeus variant on the compromised machine was configured to detect Salesforce.com authenticated sessions (*.my.salesforce.com) instead of banking sites.

The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"While our customer is still investigating the intent behind this attack, it’s easy to imagine how having real time access to a company’s CRM might be useful to its competitors’ sales process," Luttwak explains.

Zeus is traditionally used to pilfer online banking credentials and transactions. The latest variant is thought to represent the first time a Zeus variant targeted at harvesting data from enterprise SaaS applications. Although novel the threat the not particularly sophisticated and the "tailored SaaS data exfiltration capability" is all that really distinguished it from the many banking trojan and other nasties created using ZeuS.

ZeuS is most accurately looked at as a crimeware creation that makes it straightforward to create highly customised banking trojans or other nasties, as the CRM malware isolated in the Adallom case illustrates.

Adallom reckons the malware used in this attack was planted like a landline on the compromised Win XP device (a home computer used by the worker involved to catch up with work at night or the weekend) using a phishing attack. Much the same approach could be used to harvest data from any software as a service application.

"All existing Zeus variants in the wild can be fairly easily re-purposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack," Adallom's Luttwak concludes.

"We are currently under responsible disclosure with several SaaS vendors for other attacks that have impacted our customers. Some, like the Office 365 'Ice Dagger', are sophisticated. Others, like this 'landline', are not. However, they all target digital assets inside of SaaS applications because that’s where enterprise data is migrating."

Adallom's warning is underlined by a case last November involving attempts to use malware against client of ERP giant SAP. Security researchers at ERPScan discovered a variant of the well-known Shiz remote access Trojan (RAT) which searched infected systems for the existence of SAP applications.

El Reg asked Salesforce.com to comment on Adallom's research. It responded:

At salesforce.com, trust is our #1 value and we take the protection of our customers' data very seriously. We currently have no evidence of this malware variant. We recommend our customers follow best practices for protecting their devices from malware. We provide security advice at http://trust.salesforce.com/trust/threats/security.

®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.