Researchers identified a flaw in Cisco’s WebVPN — Hackers managed to install backdoors via two methods on the service — This weakness allows hackers to steal corporate account passwords when employees logged into their accounts.
Hackers managed to load backdoors via different JavaScript snippets which were then loaded on Cisco’s ASA WebVPN service.
The procedure involved performing a standard XSS attack at the Logon.html page. The page where corporate users enter their username/password combos.
The CVE-2014-3393 vulnerability was being exploited by hackers to install JavaScript snippets and the login pages are being modified to record the data users typed in the login fields.
This can be termed as the second major exploitation of infrastructure at Cisco in the past month when unknown hackers installed a malicious firmware in Cisco’s routers via SYNful Knock attack.
In February 2015, this bug was fixed but not all of the companies updated their services or equipment and therefore, hackers kept on benefitting from this weakness and HTTPS-protected JS files were used to install the backdoor.
Volexity Researchers Explain the Issue:
According to researchers at Volexity, a very simplistic JavaScript snippet was loaded to perform the XSS and steal the login credentials.
This snippet was taken from a public scripts-sharing website. Its identification was difficult because the JS file was hidden immaculately via an encrypted connection, which was loaded via HTTPS.
Snowden Exposes “Smurf Suite”, Reveals GCHQ Hacked Cisco Routers in Pakistan
The XSS-HTTPS method presumably has been used for the first time. The second time, the process became a bit complex.
If hackers had compromised the corporate networks they could have easily installed the backdoor using the WebVPN administrative interface, which seems an unlikely scenario.
Volexity researchers noticed that the backdoors are easily and actively exploited.
Various organizations from prominent fields such as medical, NGO, electronics, manufacturing and academic have already been targeted by hackers, said the Volexity team.
They also believe that 2FA (two-factor authentication) if enabled would add an extra layer of protection, but in this kind of an attack it didn’t matter as hackers have already created an entry point into the system.
However, if 2FA was enabled, only the JS code would need to be modified to perform a session cookie hijacking or the 2FA token instead would need to be hijacked.
Veloxity