Once an employee is authenticated,
Clientless SSL VPNs allows him/her to access internal web resources, browse internal file shares, and launch plug-ins, which let them access internal web resources through telnet, SSH, or similar network protocols.
The backdoor contains malicious JavaScript code that attackers used to inject into the login pages. Once injected, the backdoor is hard to detect because the malicious JavaScript is hosted on an external compromised website and accessed only via secure HTTPS connections.
"Unfortunately, Volexity has found that [many] organizations are silently being victimized through this very login page," Volexity wrote in a blog post published Wednesday. "This begs the question: How are the attackers managing to pull this off?"
Methods to Install Backdoor
According to researchers, the backdoor is installed through two different entry points:
- An exploit that relies on a critical flaw (CVE-2014-3393) in the Clientless SSL VPN that Cisco patched more than 12 months ago.
- Hackers gaining administrative access and using it to load the malicious code.
Infected Targets
Volexity observed this new campaign successfully infected the following organisations:
- Medical Think Tank
- Universities, NGOs and Academic Institutions
- Multinational Electronics manufacturers
- Non-governmental organizations
In response to the issue, a Cisco spokesperson released a statement saying that the company is aware of the Volexity report and that it released the patches last year.
Cisco customers can also protect themselves against such threats by following
Firewall best practices, the official added.
You can head on to Volexity official
blog post, where the company has provided full technical details about the attack, along with suggestions for detecting and removing the VPN infections.
Post a Comment
Click to see the code!
To insert emoticon you must added at least one space before the code.