Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/8/2015
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Corporate VPNs In The Bullseye

When the corporate virtual private network gets 0wned.

Virtual private network (VPN) connections can provide a false sense of security, and two separate and newly discovered attack campaigns exploiting the much-vaunted corporate channel serve as a wakeup call for how attackers can abuse and use VPNs.

Researchers at Volexity have witnessed attackers going after the corporate VPN by altering the login pages to Cisco Systems' Web-based VPN, Clientless SSL VPNs via JavaScript code injected into the login pages in order to pilfer corporate user credentials at the VPN login phase.  It's all in the name of the "P" in APT: "persistence."

Meanwhile, enSilo researchers spotted a cyber espionage attack using a remote access Trojan (RAT) that among other things allows an attacker to log into a machine it infects using the user's legitimate credentials. The so-called Moker RAT disables and sneaks past antivirus, sandboxes, and virtual machine-based tools, as well as Microsoft Windows' User Access Control (UAC) feature.

Moker, which attaches itself to the Windows operating system and poses as a legitimate OS process, can be used by the attacker to operate "locally," according to enSilo. "Consider a scenario where the attacker logs on to the infected machine using the VPN credentials of a legitimate user. In that case, the attacker connects to the machine from remote – but locally controls Moker," says Yotam Gottesman, a senior security researcher at enSilo. "The attacker can then perform all the cyber espionage activities one imagines a RAT doing such keylogging, taking screenshots, monitoring Web traffic – and even altering it."

In the Cisco VPN attacks detailed by Volexity, one method exploits a known and patched authentication-check vulnerability in the Cisco Clientless SSL VPN portal, CVE-2014-3393. In February, Cisco issued a notice warning of public exploits for the flaw. There's also Metasploit module available for the attack. "While Cisco provided updated software to address the vulnerability, attackers were already off to the races. Vulnerable organizations that were slow to update may have received an unwelcome addition to the source of their logon.html file," Volexity researchers wrote in a blog post today.

Japanese government and high-tech firms have been the most commonly spotted targets of this attack, according to Volexity. "In these attacks, multiple Japanese organizations were compromised and had their Cisco Web VPN portals modified to load additional JavaScript code," the post says.

The weakness in Cisco's Web-based VPN isn't unique to Cisco, however, according to Volexity. "Attackers are continuing to find new ways to use and abuse systems for long term persistent access to networks and systems of interest. This problem is not remotely unique to Cisco Web VPNs. Any other VPN, web server, or appliance that an attacker can gain administrative access to or otherwise customize/modify will potentially present similar risks," Volexity says.

Moker

enSilo first found Moker on a customer's machine in a "sensitive" network environment. Gottesman says his team thus far isn't sure of who's behind the attacks or their geographic location, but it's likely an attacker with advanced skill and resources. Among its capabilities is creating a new user account and opening a Remote Desktop Protocol channel for remote control of the endpoint; taking screenshots, monitoring keystrokes, stealing files; and replacing legitimate code with malware in the system processes.

 "What made this an interesting APT is that it gave us a deep look into the malware: from the ways it defeats security measures, such as using 2-step installation and exploiting various Windows vulnerabilities, to trying and deceive security researchers once detected," Gottesman says. "It’s obvious that the malware’s authors invested heavily in this malware."

When Moker creates a new user with the stolen admin privileges, the victim has no idea because the attacker has cheated UAC. The attacker then further covers his tracks: "The new administrator user never visually appears on the on the login screen. During cleanup, this user is also deleted from the system," he says. "Apart from trying to remain stealthy, it looks like the threat actors were also looking at extending the malware’s longevity by placing many anti-research capabilities."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/9/2015 | 10:30:09 PM
Moker malware
It appears to be a quite sophisticed virus based on the operations it is able to perform as system administrators or netrok administrators "patching and updating" is a key ingredient to ensure that the vulnerabilities in the system are patched.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21197
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.