Bad actors target entities worldwide via Cisco WebVPN

Pierluigi Paganini October 09, 2015

Experts at Volexity discovered a hacking campaign targeting the CISCO WebVPN VPN product, attackers aim to steal corporate login credentials.

A virtual private network (VPN) allows to extend a private network across a public connection, they are mainly used to protect users’ privacy and improve security for data in transit.

Virtual Private Networks are commonly used many companies and organizations to provide a secure access to internal resources, but what is someone it able to syphon corporate user credentials?

Researchers from the security firm Volexity discovered a new attack campaign that targets a widely used VPN product developed by Cisco Systems, Cisco Clientless SSL VPN (CISCO WebVPN). The attackers installed a backdoor to gather employees’ login credentials while the victims access internal web resources, browse internal file shares, and launch plug-ins.

“Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks. The method, which involves modifying the login pages to Cisco Clientless SSL VPNs (Web VPN), is both novel and surprisingly obvious at the same time. Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources.” states the blog post published by Volexity.

The backdoor used by the threat actors contains malicious JavaScript code that is injected into the login pages. This method is very effective, once the JavaScript is injected in the login page it can steal the users’ credentials. The backdoor is very hard to detect because the malicious JavaScript is hosted on an external website and accessed only via secure HTTPS connections.

In one campaign observed by the experts at Volexity, the threat actors hosted the malicious script on the hacked website of a legitimate NGO, anyway the list of compromised website is long and includes medical organizations, NGOs, universities and academic institutions, think tanks and multinational electronics and manufacturing companies.

“Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page,” Volexity wrote in the blog post.


How are the attackers deploying the backdoor? The experts explained that the backdoor used in the campaign targeting Cisco WebVPN is installed through different attack scenarios:

  • An exploit that triggers the a critical flaw (CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more that one year ago.
  • Hackers gaining administrative access and using it to inject the malicious Javascript.

“Attackers are typically able to gain ‘legitimate’ access throughout a victim organization’s environment by installing keyloggers, dumping credentials from systems, exfiltrating documents (spreadsheets) that contain password lists, and identifying passwords that are commonly reused by administrators,” wrote th eVolexity founder Steven Adair. “Once armed with these credentials, an attacker with access to a victim’s network can typically perform the same functions as any administrator or highly-privileged individual within the company.”

Many of the attacks observed by the researchers at Volexity targeted high-tech and government organizations in Japan. The hackers modified the Cisco WebVPN login pages to load JavaScript code associated with the reconnaissance framework called Scanbox that is very popular among Chinese APTs.

Scanbox has numerous plugins that implement keyloging capability.

Cisco confirmed that it is aware of the discovery made by the researchers at Volexity and states that it already released the patches for the Cisco WebVPN last year. Cisco customers are invited to implement the Firewall best practices.

Pierluigi Paganini

(Security Affairs – Cisco WebVPN,  cybercrime)

you might also like

leave a comment