05:45 PM
Connect Directly

Corporate VPNs In The Bullseye

When the corporate virtual private network gets 0wned.

Virtual private network (VPN) connections can provide a false sense of security, and two separate and newly discovered attack campaigns exploiting the much-vaunted corporate channel serve as a wakeup call for how attackers can abuse and use VPNs.

Researchers at Volexity have witnessed attackers going after the corporate VPN by altering the login pages to Cisco Systems' Web-based VPN, Clientless SSL VPNs via JavaScript code injected into the login pages in order to pilfer corporate user credentials at the VPN login phase.  It's all in the name of the "P" in APT: "persistence."

Meanwhile, enSilo researchers spotted a cyber espionage attack using a remote access Trojan (RAT) that among other things allows an attacker to log into a machine it infects using the user's legitimate credentials. The so-called Moker RAT disables and sneaks past antivirus, sandboxes, and virtual machine-based tools, as well as Microsoft Windows' User Access Control (UAC) feature.

Moker, which attaches itself to the Windows operating system and poses as a legitimate OS process, can be used by the attacker to operate "locally," according to enSilo. "Consider a scenario where the attacker logs on to the infected machine using the VPN credentials of a legitimate user. In that case, the attacker connects to the machine from remote – but locally controls Moker," says Yotam Gottesman, a senior security researcher at enSilo. "The attacker can then perform all the cyber espionage activities one imagines a RAT doing such keylogging, taking screenshots, monitoring Web traffic – and even altering it."

In the Cisco VPN attacks detailed by Volexity, one method exploits a known and patched authentication-check vulnerability in the Cisco Clientless SSL VPN portal, CVE-2014-3393. In February, Cisco issued a notice warning of public exploits for the flaw. There's also Metasploit module available for the attack. "While Cisco provided updated software to address the vulnerability, attackers were already off to the races. Vulnerable organizations that were slow to update may have received an unwelcome addition to the source of their logon.html file," Volexity researchers wrote in a blog post today.

Japanese government and high-tech firms have been the most commonly spotted targets of this attack, according to Volexity. "In these attacks, multiple Japanese organizations were compromised and had their Cisco Web VPN portals modified to load additional JavaScript code," the post says.

The weakness in Cisco's Web-based VPN isn't unique to Cisco, however, according to Volexity. "Attackers are continuing to find new ways to use and abuse systems for long term persistent access to networks and systems of interest. This problem is not remotely unique to Cisco Web VPNs. Any other VPN, web server, or appliance that an attacker can gain administrative access to or otherwise customize/modify will potentially present similar risks," Volexity says.


enSilo first found Moker on a customer's machine in a "sensitive" network environment. Gottesman says his team thus far isn't sure of who's behind the attacks or their geographic location, but it's likely an attacker with advanced skill and resources. Among its capabilities is creating a new user account and opening a Remote Desktop Protocol channel for remote control of the endpoint; taking screenshots, monitoring keystrokes, stealing files; and replacing legitimate code with malware in the system processes.

 "What made this an interesting APT is that it gave us a deep look into the malware: from the ways it defeats security measures, such as using 2-step installation and exploiting various Windows vulnerabilities, to trying and deceive security researchers once detected," Gottesman says. "It’s obvious that the malware’s authors invested heavily in this malware."

When Moker creates a new user with the stolen admin privileges, the victim has no idea because the attacker has cheated UAC. The attacker then further covers his tracks: "The new administrator user never visually appears on the on the login screen. During cleanup, this user is also deleted from the system," he says. "Apart from trying to remain stealthy, it looks like the threat actors were also looking at extending the malware’s longevity by placing many anti-research capabilities."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/9/2015 | 10:30:09 PM
Moker malware
It appears to be a quite sophisticed virus based on the operations it is able to perform as system administrators or netrok administrators "patching and updating" is a key ingredient to ensure that the vulnerabilities in the system are patched.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-18
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.
PUBLISHED: 2018-12-18
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
PUBLISHED: 2018-12-18
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.
PUBLISHED: 2018-12-18
An exploitable vulnerability exists in the HTTP client functionality of the Webroot BrightCloud SDK. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to...
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.