Zeus variant targets Salesforce.com accounts, SaaS applications

Zeus variant targets Salesforce.com accounts, SaaS applications

Summary: A new variation of the notorious banking trojan has been found lurking in the wild, bent on targeting software-as-a-service (SaaS) applications.

credit cnet
Credit: CNET

While cybersecurity is an ever-evolving field and new threats are constantly being created and discovered, several stand out as advanced, persistent problems -- including the Zeus trojan.

The Zeus malware family is known as a cause of identity theft and a pilferer of financial and banking details. Dubbed the "king of bots" by Symantec, it mainly targets financial institutions, often injecting malicious content in to bank authentication pages in order to dupe users in to handing over their account credentials.

However, a recent attack has revealed a twist in the tale of the malware. Rather than pursuing financial details, a new version of Zeus targets software-as-a-service (SaaS) applications. According to SaaS security firm Adallom's researchers, a few weeks ago, a version of Zeus was discovered that targets user credentials on Salesforce.com.

In a blog post, the Adallom Labs team said the Zeus variant uses "landmines" -- malware triggered by certain computer activity -- in order to exfiltrate company data. The malware was discovered when an employee apparently performed hundreds of view operations in a short period of time. This unusual behavior was traced back to the user's PC, which was running Windows XP and an old, unpatched version of Internet Explorer.

Examination of the offending device revealed Zeus variant W32/Zbot. The PC had been used to catch up on work at home by the employee, and the malware waited until the user connected to *.my.salesforce.com before extracting data from the user's Salesforce instance.

This is a dire contrast to traditional forms of the malware, in which online banking addresses were targeted.

The malware then crawled the site and created a real-time copy of the Salesforce.com account instance, stealing all the data within the company account.


"This is the first incident we've seen of this powerful, albeit antiquated, weapon turned against corporate SaaS accounts, revealing the weakness of current security controls in identifying attacks outside of the company perimeter," the researchers say. "While this attack targeted Salesforce users, it’s important to consider that any SaaS based application could be easily targeted in this way, circumventing all enterprise security controls."

This is not an exploit of a Salesforce.com vulnerability; instead, Zeus takes advantage of the end-user and website's relationship when the user is authenticated. It is not known how the original home computer was infected, but by targeting employees rather than enterprise networks themselves, company control is evaded -- increasing the risk of sabotage.

In the world of SaaS, most applications by default allow any place and any device access. While many SaaS providers have top-of-the-range protection, human error will always be a weak link in the security chain -- and yet, corporations do not feel responsible for the security of these applications. However, while BYOD exists, in order to avoid such threats, perhaps firms should assume user devices are compromised and deploy relevant security controls to better prevent issues in the future.

Speaking to Dark Reading, Ami Luttwak, co-founder and CTO of Adallom commented:

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD. The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications.

The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities."

Topics: Security, Salesforce.com

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So the key question here is...

    What kind of protections did the company have in place for remote access of their employees? Management tends to believe that if they provide VPN access then it doesn't matter how insecure the employee's home workstation is - the VPN will provide all the security they need. Most IT security folks know that's simply not the case - nefarious activity can take place THROUGH a secure tunnel once the connection has been made. Since my management doesn't like to put much weight in theoreticals, this might be a great case to use as an argument for enforcing security standards on home computers if that computer is to be considered for the privilege of connecting remotely to the corporate network.

    Hopefully one of the links in this story sheds light on those details.
    • A matter of policy?

      Having just read the Adallom blog entry, the key to this incident would seem to be the use of a compromised home PC connecting directly to the SaaS offering, as opposed to the employee remotely connecting to their corporate workstation, and then connecting from the corporate workstation to the SaaS resource. Having a policy in place forbidding employees from using their work credentials and connecting to external 3rd party resources from their home computers, as opposed to connecting from home to their workstation at work, and then connect from there to the SaaS resource seems like it would have saved them in this instance. That 2 part connection isn't foolproof, either, but it seems like it would reduce the risks of falling prey to some portion of these types of attacks.
  • Yet another problem with SaaS

    As I have often said, this whole SaaS push is mainly so MS, Adobe and others can make more money off the users by forcing them to pay monthly forever for the software that used to be a one-time purchase.

    Don't let them foist this upon us by claiming we'll pay less in the long run! That is simply not true.

    • BYOD

      If SaaS is being used by the company by default they are installing a BYOD policy. Employees who are expected to be log on remotely will prefer the convenience of using a few devices as possible. Part the consideration is cost but another is annoyance of having to very similar devices that have the same functionality to lug around.
  • They need an isolated client system

    Something like a client application/app that can run like a virtual machine instance for better isolation from a possibly infected host PC.