Virtual Private Networks (VPNs), which is widely used by many businesses and organisations to provide secure access to their workers, are being abused to pilfer corporate user credentials.

Researchers from security firm Volexity discovered a new attack campaign that targets a widely used VPN product by Cisco Systems to install backdoors that collect employees' usernames and passwords used to login to corporate networks.

The product in question is Cisco Systems' Web-based VPN – Clientless SSL VPN.

Once an employee is authenticated, Clientless SSL VPNs allows him/her to access internal web resources, browse internal file shares, and launch plug-ins, which let them access internal web resources through telnet, SSH, or similar network protocols.

The backdoor contains malicious JavaScript code that attackers used to inject into the login pages. Once injected, the backdoor is hard to detect because the malicious JavaScript is hosted on an external compromised website and accessed only via secure HTTPS connections.
"Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page," Volexity wrote in a blog post published Wednesday. "This begs the question: How are the attackers managing to pull this off?"

Methods to Install Backdoor

According to researchers, the backdoor is installed through two different entry points:
  1. An exploit that relies on a critical flaw (CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more than 12 months ago.
  2. Hackers gaining administrative access and using it to load the malicious code.

Infected Targets

Volexity observed this new campaign successfully infected the following organisations:
  • Medical Think Tank
  • Universities, NGOs and Academic Institutions
  • Multinational Electronics manufacturers
  • Non-governmental organizations
In response to the issue, a Cisco spokesperson released a statement saying that the company is aware of the Volexity report and that it released the patches last year.

Cisco customers can also protect themselves against such threats by following Firewall best practices, the official added.

You can head on to Volexity official blog post, where the company has provided full technical details about the attack, along with suggestions for detecting and removing the VPN infections.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.