U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Zeus variant hit Software-as-a-service applications

Discovered a Zeus variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code This is the second news on Zeus malware in less than a week, previous one was related to a new variant using steganography to hide configuration file, this last discovery is related to a version even more […]

Zeus variant hit Software-as-a-service applications

Discovered a Zeus variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code

This is the second news on Zeus malware in less than a week, previous one was related to a new variant using steganography to hide configuration file, this last discovery is related to a version even more sophisticated that implements a web-crawling feature.

We have been accustomed to associate the name of the feared Zeus banking trojan to the capability to target customers of financial institutions, nut this version appears  different because it has been designed to hit Software-as-a-service (SaaS) applications to obtain access to proprietary data or code. Software-as-a-service is a software delivery model in which software and associated data are centrally hosted on a cloud architecture. SaaS has become a common delivery model for many business applications including Office & Messaging software, DBMS software, Development software, Virtualization and many others.

The SaaS Security firm vendor Adallom, detected a malware-based campaign against Salesforce.com users, the Zeus variant used implements the web crawling capabilities to grab sensitive business data from the CRM. The attacks originated from Salesforce employee’s home computer, this variant of Zeus trojan crawled the site and created a real-time copy of the user’s Salesforce.com instance that included all the company account data.

“We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.” reported the official post issued mt Adallom.

Experts at Adallom discovered the campaign because noted approximately 2GB of data been downloaded to the victim’s computer in a few minutes, the malware authors exploited Zeus Web inject capabilities  for the purpose of data harvesting and exfiltration.  
This is not an exploit of a Salesforce.com vulnerability; this Zeus attack takes advantage of the trust relationship that is legitimately established between the end-user and Salesforce.com once the user has authenticated.” Furthermore, while Zeus usually hijacks the user session and performs wire transactions, this variant crawled the site and created a real time copy of the user’s Salesforce.com instance. A copy of the temporary folder created (shown below) contained all the information from the company account. 

Zeus web crawler

 

The researchers noted another interesting detail, some of the Zeus parameters were hard-coded, and this and this suggests that discovered variant was used as a specially crafted tool in a larger attack. The alarming consideration is related to the possibility to replicate the attack scheme against any company using any SaaS application. 

The investigation is still on going, security  expert at Adallom Labs are working to identify responsible for the attacks and the infection vector the exploited to compromise end-user machines.

Pierluigi Paganini

(Security Affairs –  Zeus trojan, Software-as-a-service applications)