A virtual private network (VPN) allows to extend a private network across a public connection, they are mainly used to protect users’ privacy and improve security for data in transit.
Virtual Private Networks are commonly used many companies and organizations to provide a secure access to internal resources, but what is someone it able to syphon corporate user credentials?
Researchers from the security firm Volexity discovered a new attack campaign that targets a widely used VPN product developed by Cisco Systems, Cisco Clientless SSL VPN (CISCO WebVPN). The attackers installed a backdoor to gather employees’ login credentials while the victims access internal web resources, browse internal file shares, and launch plug-ins.
In one campaign observed by the experts at Volexity, the threat actors hosted the malicious script on the hacked website of a legitimate NGO, anyway the list of compromised website is long and includes medical organizations, NGOs, universities and academic institutions, think tanks and multinational electronics and manufacturing companies.
“Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page,” Volexity wrote in the blog post.
How are the attackers deploying the backdoor? The experts explained that the backdoor used in the campaign targeting Cisco WebVPN is installed through different attack scenarios:
“Attackers are typically able to gain ‘legitimate’ access throughout a victim organization’s environment by installing keyloggers, dumping credentials from systems, exfiltrating documents (spreadsheets) that contain password lists, and identifying passwords that are commonly reused by administrators,” wrote th eVolexity founder Steven Adair. “Once armed with these credentials, an attacker with access to a victim’s network can typically perform the same functions as any administrator or highly-privileged individual within the company.”
Scanbox has numerous plugins that implement keyloging capability.
Cisco confirmed that it is aware of the discovery made by the researchers at Volexity and states that it already released the patches for the Cisco WebVPN last year. Cisco customers are invited to implement the Firewall best practices.
(Security Affairs – Cisco WebVPN, cybercrime)