Feeds

ZeuS KICKS that SaaS: Trojan raids Salesforce.com accounts

CRM giant's customers take an arrow to the knee... – reports

Providing a secure and efficient Helpdesk

Miscreants have forged a variant of the infamous ZeuS banking Trojan that targets enterprise data held by clients of CRM giant Salesforce.com.

The ZeuS variant does not exploit a vulnerability in the Salesforce.com platform itself but rather penetrates the insecure devices of corporate workers accessing Salesforce.com. The attackers wait for the user to connect to *.my.salesforce.com in order to extract company data from the user’s Salesforce instance, according to security researchers at cloud-based security outfit Adallom, which discovered the threat.

"This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated," Ami Luttwak, co-founder and CTO at Adallom explains in a blog post.

The threat was discovered after a single user performed hundreds of Salesforce.com view operations in a short period of time, triggering off alerts at Adallom, a security service provider for the victim's employers. This triggered an investigation. Initially the firm's security team suspected a sales rep was “downloading” their Rolodex by mirroring their Salesforce.com instance to disk. A subsequent investigation revealed a worker's poorly secured and pox-ridden Windows XP home laptop (running an old version of Internet Explorer, and an expired security scanner software) was behind the problem.

The Zeus variant on the compromised machine was configured to detect Salesforce.com authenticated sessions (*.my.salesforce.com) instead of banking sites.

The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"While our customer is still investigating the intent behind this attack, it’s easy to imagine how having real time access to a company’s CRM might be useful to its competitors’ sales process," Luttwak explains.

Zeus is traditionally used to pilfer online banking credentials and transactions. The latest variant is thought to represent the first time a Zeus variant targeted at harvesting data from enterprise SaaS applications. Although novel the threat the not particularly sophisticated and the "tailored SaaS data exfiltration capability" is all that really distinguished it from the many banking trojan and other nasties created using ZeuS.

ZeuS is most accurately looked at as a crimeware creation that makes it straightforward to create highly customised banking trojans or other nasties, as the CRM malware isolated in the Adallom case illustrates.

Adallom reckons the malware used in this attack was planted like a landline on the compromised Win XP device (a home computer used by the worker involved to catch up with work at night or the weekend) using a phishing attack. Much the same approach could be used to harvest data from any software as a service application.

"All existing Zeus variants in the wild can be fairly easily re-purposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack," Adallom's Luttwak concludes.

"We are currently under responsible disclosure with several SaaS vendors for other attacks that have impacted our customers. Some, like the Office 365 'Ice Dagger', are sophisticated. Others, like this 'landline', are not. However, they all target digital assets inside of SaaS applications because that’s where enterprise data is migrating."

Adallom's warning is underlined by a case last November involving attempts to use malware against client of ERP giant SAP. Security researchers at ERPScan discovered a variant of the well-known Shiz remote access Trojan (RAT) which searched infected systems for the existence of SAP applications.

El Reg asked Salesforce.com to comment on Adallom's research. It responded:

At salesforce.com, trust is our #1 value and we take the protection of our customers' data very seriously. We currently have no evidence of this malware variant. We recommend our customers follow best practices for protecting their devices from malware. We provide security advice at http://trust.salesforce.com/trust/threats/security.

®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.