Corporate VPNs In The Bullseye

When the corporate virtual private network gets 0wned.

Virtual private network (VPN) connections can provide a false sense of security, and two separate and newly discovered attack campaigns exploiting the much-vaunted corporate channel serve as a wakeup call for how attackers can abuse and use VPNs.

Researchers at Volexity have witnessed attackers going after the corporate VPN by altering the login pages to Cisco Systems' Web-based VPN, Clientless SSL VPNs via JavaScript code injected into the login pages in order to pilfer corporate user credentials at the VPN login phase.  It's all in the name of the "P" in APT: "persistence."

Meanwhile, enSilo researchers spotted a cyber espionage attack using a remote access Trojan (RAT) that among other things allows an attacker to log into a machine it infects using the user's legitimate credentials. The so-called Moker RAT disables and sneaks past antivirus, sandboxes, and virtual machine-based tools, as well as Microsoft Windows' User Access Control (UAC) feature.

Moker, which attaches itself to the Windows operating system and poses as a legitimate OS process, can be used by the attacker to operate "locally," according to enSilo. "Consider a scenario where the attacker logs on to the infected machine using the VPN credentials of a legitimate user. In that case, the attacker connects to the machine from remote – but locally controls Moker," says Yotam Gottesman, a senior security researcher at enSilo. "The attacker can then perform all the cyber espionage activities one imagines a RAT doing such keylogging, taking screenshots, monitoring Web traffic – and even altering it."

In the Cisco VPN attacks detailed by Volexity, one method exploits a known and patched authentication-check vulnerability in the Cisco Clientless SSL VPN portal, CVE-2014-3393. In February, Cisco issued a notice warning of public exploits for the flaw. There's also Metasploit module available for the attack. "While Cisco provided updated software to address the vulnerability, attackers were already off to the races. Vulnerable organizations that were slow to update may have received an unwelcome addition to the source of their logon.html file," Volexity researchers wrote in a blog post today.

Japanese government and high-tech firms have been the most commonly spotted targets of this attack, according to Volexity. "In these attacks, multiple Japanese organizations were compromised and had their Cisco Web VPN portals modified to load additional JavaScript code," the post says.

The weakness in Cisco's Web-based VPN isn't unique to Cisco, however, according to Volexity. "Attackers are continuing to find new ways to use and abuse systems for long term persistent access to networks and systems of interest. This problem is not remotely unique to Cisco Web VPNs. Any other VPN, web server, or appliance that an attacker can gain administrative access to or otherwise customize/modify will potentially present similar risks," Volexity says.


enSilo first found Moker on a customer's machine in a "sensitive" network environment. Gottesman says his team thus far isn't sure of who's behind the attacks or their geographic location, but it's likely an attacker with advanced skill and resources. Among its capabilities is creating a new user account and opening a Remote Desktop Protocol channel for remote control of the endpoint; taking screenshots, monitoring keystrokes, stealing files; and replacing legitimate code with malware in the system processes.

 "What made this an interesting APT is that it gave us a deep look into the malware: from the ways it defeats security measures, such as using 2-step installation and exploiting various Windows vulnerabilities, to trying and deceive security researchers once detected," Gottesman says. "It’s obvious that the malware’s authors invested heavily in this malware."

When Moker creates a new user with the stolen admin privileges, the victim has no idea because the attacker has cheated UAC. The attacker then further covers his tracks: "The new administrator user never visually appears on the on the login screen. During cleanup, this user is also deleted from the system," he says. "Apart from trying to remain stealthy, it looks like the threat actors were also looking at extending the malware’s longevity by placing many anti-research capabilities."

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights