Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnSwati KhandelwalTHN:2B1336866E09976F457A9E4A1E94C4C2
HistoryOct 08, 2015 - 8:53 p.m.

Hackers Backdooring Cisco WebVPN To Steal Customers’ Passwords

2015-10-0820:53:00
Swati Khandelwal
thehackernews.com
21

EPSS

0.002

Percentile

51.7%

JSON

cisco-webvpn

Virtual Private Networks (VPNs), which is widely used by many businesses and organisations to provide secure access to their workers, are being abused to pilfer corporate user credentials.

Researchers from security firm Volexity discovered a new attack campaign that targets a widely used VPN product by Cisco Systems to install backdoors that collect employees’ usernames and passwords used to login to corporate networks.

The product in question is Cisco Systems’ Web-based VPN – Clientless SSL VPN.

Once an employee is authenticated, Clientless SSL VPNs allows him/her to access internal web resources, browse internal file shares, and launch plug-ins, which let them access internal web resources through telnet, SSH, or similar network protocols.

The backdoor containsmalicious JavaScript codethat attackers used to inject into the login pages. Once injected, the backdoor is hard to detect because the malicious JavaScript is hosted on an external compromised website and accessed only via secure HTTPS connections.

> _“Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page,” _Volexity wrote in a blog post published Wednesday. “This begs the question: How are the attackers managing to pull this off?

Methods to Install Backdoor

According to researchers, the backdoor is installed through two different entry points:

  1. An exploit that relies on acritical flaw(CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more than 12 months ago.
  2. Hackers gaining administrative accessand using it to load the malicious code.

Infected Targets

Volexity observed this new campaign successfully infected the following organisations:

  • Medical Think Tank
  • Universities, NGOs and Academic Institutions
  • Multinational Electronics manufacturers
  • Non-governmental organizations

In response to the issue, a Cisco spokesperson released a statement saying that the company is aware of the Volexity report and that it released the patches last year.

Cisco customers can also protect themselves against such threats by following Firewall best practices, the official added.

You can head on to Volexity official blog post, where the company has provided full technical details about the attack, along with suggestions for detecting and removing the VPN infections.

Related

threatpost 1
cvelist 1
fireeye 1
cisco 2
prion 1
nvd 1
openvas 1
cve 1
securityvulns 2
nessus 1
threatpost
threatpost
DHS Urges Vigilance in Protecting Networking Gear
2016-09-08 11:09:20
cvelist
cvelist
CVE-2014-3393
2014-10-10 10:00:00
fireeye
fireeye
99 Problems but Two-Factor Ain’t One
2016-03-23 08:00:00
cisco
cisco
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
2014-10-08 16:22:26
Multiple Vulnerabilities in Cisco ASA Software
2014-10-08 16:00:00
prion
prion
Authentication flaw
2014-10-10 10:55:00
nvd
nvd
CVE-2014-3393
2014-10-10 10:55:06
openvas
openvas
Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability (cisco-sa-20141008-asa)
2015-03-13 00:00:00
cve
cve
CVE-2014-3393
2014-10-10 10:55:06
securityvulns
securityvulns
Cisco ASA multiple DoS vulnerabilities
2014-10-13 00:00:00
Cisco ASA multiple security vulnerabilities
2015-07-14 00:00:00
nessus
nessus
Cisco ASA Software Multiple Vulnerabilities (cisco-sa-20141008-asa)
2014-10-10 00:00:00

EPSS

0.002

Percentile

51.7%

JSON
Related for THN:2B1336866E09976F457A9E4A1E94C4C2
threatpost1cvelist1fireeye1cisco2prion1nvd1openvas1cve1securityvulns2nessus1