Feeds

ZeuS KICKS that SaaS: Trojan raids Salesforce.com accounts

CRM giant's customers take an arrow to the knee... – reports

Beginner's guide to SSL certificates

Miscreants have forged a variant of the infamous ZeuS banking Trojan that targets enterprise data held by clients of CRM giant Salesforce.com.

The ZeuS variant does not exploit a vulnerability in the Salesforce.com platform itself but rather penetrates the insecure devices of corporate workers accessing Salesforce.com. The attackers wait for the user to connect to *.my.salesforce.com in order to extract company data from the user’s Salesforce instance, according to security researchers at cloud-based security outfit Adallom, which discovered the threat.

"This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated," Ami Luttwak, co-founder and CTO at Adallom explains in a blog post.

The threat was discovered after a single user performed hundreds of Salesforce.com view operations in a short period of time, triggering off alerts at Adallom, a security service provider for the victim's employers. This triggered an investigation. Initially the firm's security team suspected a sales rep was “downloading” their Rolodex by mirroring their Salesforce.com instance to disk. A subsequent investigation revealed a worker's poorly secured and pox-ridden Windows XP home laptop (running an old version of Internet Explorer, and an expired security scanner software) was behind the problem.

The Zeus variant on the compromised machine was configured to detect Salesforce.com authenticated sessions (*.my.salesforce.com) instead of banking sites.

The variant was designed to crawl the site and create a real-time copy of the user's Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.

"While our customer is still investigating the intent behind this attack, it’s easy to imagine how having real time access to a company’s CRM might be useful to its competitors’ sales process," Luttwak explains.

Zeus is traditionally used to pilfer online banking credentials and transactions. The latest variant is thought to represent the first time a Zeus variant targeted at harvesting data from enterprise SaaS applications. Although novel the threat the not particularly sophisticated and the "tailored SaaS data exfiltration capability" is all that really distinguished it from the many banking trojan and other nasties created using ZeuS.

ZeuS is most accurately looked at as a crimeware creation that makes it straightforward to create highly customised banking trojans or other nasties, as the CRM malware isolated in the Adallom case illustrates.

Adallom reckons the malware used in this attack was planted like a landline on the compromised Win XP device (a home computer used by the worker involved to catch up with work at night or the weekend) using a phishing attack. Much the same approach could be used to harvest data from any software as a service application.

"All existing Zeus variants in the wild can be fairly easily re-purposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack," Adallom's Luttwak concludes.

"We are currently under responsible disclosure with several SaaS vendors for other attacks that have impacted our customers. Some, like the Office 365 'Ice Dagger', are sophisticated. Others, like this 'landline', are not. However, they all target digital assets inside of SaaS applications because that’s where enterprise data is migrating."

Adallom's warning is underlined by a case last November involving attempts to use malware against client of ERP giant SAP. Security researchers at ERPScan discovered a variant of the well-known Shiz remote access Trojan (RAT) which searched infected systems for the existence of SAP applications.

El Reg asked Salesforce.com to comment on Adallom's research. It responded:

At salesforce.com, trust is our #1 value and we take the protection of our customers' data very seriously. We currently have no evidence of this malware variant. We recommend our customers follow best practices for protecting their devices from malware. We provide security advice at http://trust.salesforce.com/trust/threats/security.

®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.