Security researchers from Adallom have analyzed the new type of attack

Feb 20, 2014 10:52 GMT  ·  By

Researchers from cloud security company Adallom have come across an interesting version of the notorious ZeuS Trojan. The new variant is designed to steal information from the customers of Salesforce.com.

Experts have dubbed this type of attack “landmining.” That’s because the cybercriminals lay “landmines” which wait for users to connect to Salesforce.com. When a connection is detected, company data from the Salesforce instance is exfiltrated.

Adallom highlights the fact that the Trojan doesn’t exploit a vulnerability in the cloud service in order to steal data. It simply leverages the trust relationship legitimately established between the user and the service.

The company believes that this is the first ZeuS version that’s designed to target enterprise SaaS applications.

The first attack involving this ZeuS variant was spotted a few weeks ago when hundreds of view operations were performed in a short amount of time by a single user at one of the companies that relied on Adallom’s services.

The incident was reported to the organization’s internal security team. The user from whose account the view operations had been performed knew nothing about it, and no malware was identified on his work computer.

They later discovered that his home computer, a machine running Windows XP that the employee was occasionally using to catch up on work, was the one infected with a ZeuS variant. Instead of targeting banking websites like most versions, this particular sample had been set up to monitor Salesforce.com authentication sessions.

The attack is still being investigated, but it might take a while until a conclusion is reached since the infected computer is in a home environment, which means that no logs are available.

It’s uncertain how the computer got infected, but experts highlight the fact that access to a company’s customer relationship management (CRM) systems could be highly valuable to a competitor.

The most concerning aspect is that such an attack pattern can be replicated against any SaaS application.

“Even more disturbing is the fact that all existing Zeus variants in the wild can be fairly easily re-purposed to steal information from SaaS applications, it’s just a matter of adding another webinject configuration pack,” Ami Luttwak, co-founder and CTO of Adallom, noted in a blog post.

Additional details on these types of attacks are available on Adallom’s blog.