ZeuS KICKS that SaaS: Trojan raids Salesforce.com accounts
Miscreants have forged a variant of the infamous ZeuS banking Trojan that targets enterprise data held by clients of CRM giant Salesforce.com.
The ZeuS variant does not exploit a vulnerability in the Salesforce.com platform itself but rather penetrates the insecure devices of corporate workers accessing Salesforce.com. The attackers wait for the user to connect to *.my.salesforce.com in order to extract company data from the user’s Salesforce instance, according to security researchers at cloud-based security outfit Adallom, which discovered the threat.
“This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated,” Ami Luttwak, co-founder and CTO at Adallom explains in a blog post.
The threat was discovered after a single user performed hundreds of Salesforce.com view operations in a short period of time, triggering off alerts at Adallom, a security service provider for the victim’s employers. This triggered an investigation. Initially the firm’s security team suspected a sales rep was “downloading” their Rolodex by mirroring their Salesforce.com instance to disk. A subsequent investigation revealed a worker’s poorly secured and pox-ridden Windows XP home laptop (running an old version of Internet Explorer, and an expired security scanner software) was behind the problem.
The Zeus variant on the compromised machine was configured to detect Salesforce.com authenticated sessions (*.my.salesforce.com) instead of banking sites.
The variant was designed to crawl the site and create a real-time copy of the user’s Salesforce.com instance. A copy of the temporary folder that was created contained all the information from the company account.
“While our customer is still investigating the intent behind this attack, it’s easy to imagine how having real time access to a company’s CRM might be useful to its competitors’ sales process,” Luttwak explains.
Zeus is traditionally used to pilfer online banking credentials and transactions. The latest variant is thought to represent the first time a Zeus variant targeted at harvesting data from enterprise SaaS applications. Although novel the threat the not particularly sophisticated and the “tailored SaaS data exfiltration capability” is all that really distinguished it from the many banking trojan and other nasties created using ZeuS.
ZeuS is most accurately looked at as a crimeware creation that makes it straightforward to create highly customised banking trojans or other nasties, as the CRM malware isolated in the Adallom case illustrates.
Adallom reckons the malware used in this attack was planted like a landline on the compromised Win XP device (a home computer used by the worker involved to catch up with work at night or the weekend) using a phishing attack. Much the same approach could be used to harvest data from any software as a service application.
“All existing Zeus variants in the wild can be fairly easily re-purposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack,” Adallom’s Luttwak concludes.
“We are currently under responsible disclosure with several SaaS vendors for other attacks that have impacted our customers. Some, like the Office 365 ‘Ice Dagger’, are sophisticated. Others, like this ‘landline’, are not. However, they all target digital assets inside of SaaS applications because that’s where enterprise data is migrating.”
Adallom’s warning is underlined by a case last November involving attempts to use malware against client of ERP giant SAP. Security researchers at ERPScan discovered a variant of the well-known Shiz remote access Trojan (RAT) which searched infected systems for the existence of SAP applications.
El Reg asked Salesforce.com to comment on Adallom’s research. It responded:
At salesforce.com, trust is our #1 value and we take the protection of our customers’ data very seriously. We currently have no evidence of this malware variant. We recommend our customers follow best practices for protecting their devices from malware. We provide security advice at http://trust.salesforce.com/trust/threats/security.