Zeus variant targets Salesforce.com accounts, SaaS applications

A new variation of the notorious banking trojan has been found lurking in the wild, bent on targeting software-as-a-service (SaaS) applications.
Written by Charlie Osborne, Contributing Writer
credit cnet
Credit: CNET

While cybersecurity is an ever-evolving field and new threats are constantly being created and discovered, several stand out as advanced, persistent problems -- including the Zeus trojan.

The Zeus malware family is known as a cause of identity theft and a pilferer of financial and banking details. Dubbed the "king of bots" by Symantec, it mainly targets financial institutions, often injecting malicious content in to bank authentication pages in order to dupe users in to handing over their account credentials.

However, a recent attack has revealed a twist in the tale of the malware. Rather than pursuing financial details, a new version of Zeus targets software-as-a-service (SaaS) applications. According to SaaS security firm Adallom's researchers, a few weeks ago, a version of Zeus was discovered that targets user credentials on Salesforce.com.

In a blog post, the Adallom Labs team said the Zeus variant uses "landmines" -- malware triggered by certain computer activity -- in order to exfiltrate company data. The malware was discovered when an employee apparently performed hundreds of view operations in a short period of time. This unusual behavior was traced back to the user's PC, which was running Windows XP and an old, unpatched version of Internet Explorer.

Examination of the offending device revealed Zeus variant W32/Zbot. The PC had been used to catch up on work at home by the employee, and the malware waited until the user connected to *.my.salesforce.com before extracting data from the user's Salesforce instance.

This is a dire contrast to traditional forms of the malware, in which online banking addresses were targeted.

The malware then crawled the site and created a real-time copy of the Salesforce.com account instance, stealing all the data within the company account.


"This is the first incident we've seen of this powerful, albeit antiquated, weapon turned against corporate SaaS accounts, revealing the weakness of current security controls in identifying attacks outside of the company perimeter," the researchers say. "While this attack targeted Salesforce users, it’s important to consider that any SaaS based application could be easily targeted in this way, circumventing all enterprise security controls."

This is not an exploit of a Salesforce.com vulnerability; instead, Zeus takes advantage of the end-user and website's relationship when the user is authenticated. It is not known how the original home computer was infected, but by targeting employees rather than enterprise networks themselves, company control is evaded -- increasing the risk of sabotage.

In the world of SaaS, most applications by default allow any place and any device access. While many SaaS providers have top-of-the-range protection, human error will always be a weak link in the security chain -- and yet, corporations do not feel responsible for the security of these applications. However, while BYOD exists, in order to avoid such threats, perhaps firms should assume user devices are compromised and deploy relevant security controls to better prevent issues in the future.

Speaking to Dark Reading, Ami Luttwak, co-founder and CTO of Adallom commented:

"I can only come to the conclusion that companies are either ignorant of, or oblivious to, the fact that along with SaaS adoption comes BYOD. The SaaS applications are themselves safe, but the implications of using them from unmanaged devices are either disregarded or unaddressed, at least pragmatically so. I think we can agree that asking employees to connect to Salesforce.com over a corporate VPN is unpragmatic. The core problem is that security teams do not feel accountable for the security of SaaS applications.

The SaaS/cloud shared responsibility model means that the provider is responsible for securing the infrastructure while the company is responsible for securing account activities."

Editorial standards