The backdoor was being loaded via a hidden XSS attack

Oct 9, 2015 08:18 GMT  ·  By

Cisco's Web-based VPN service has been dealt a heavy blow by security researchers at Volexity which found at least two methods through which hackers installed backdoors on the service, stealing corporate accounts passwords as employees were logging into their accounts.

The backdoors were loaded through different snippets of JavaScript code loaded on Cisco's ASA WebVPN service, performing a simple XSS attack on the logon.html page, right where corporate users were entering their username and password combos.

Attackers are exploiting the CVE-2014-3393 vulnerability to load these JavaScript snippets, and then they were modifying the login page so they could record what users typed in the login fields.

This bug was fixed in February 2015, but as we all know, not all companies like to update their services / equipment, so the hackers have exploited it long since after.

The backdoor was being installed via HTTPS-protected JS files

As Volexity researchers explain, the JavaScript snippet loaded to perform the XSS and record the login credentials wasn't even that complicated, being taken from a public scripts-sharing site on the Internet. What made it difficult to detect was the fact that the JS file was masked through an encrypted connection, being loaded through HTTPS.

The XSS via the HTTPS method was the first observed method. The second was more complex, but Volexity researchers also say that if attackers had compromised the corporate network, they would have also been able to install the backdoor through the WebVPN administrative interface. This is possible, but is a more far-fetched scenario.

As the security vendor noticed, the backdoors are actively being exploited and the researchers observed some instances where a company's WebVPN was infected in as early as November 2014.

Organizations in the medical, NGO, electronics, manufacturing and academic fields have been affected by this infection, Veloxity researchers reveal.

Two-Factor Authentication would not help in this case

While in most similar attacks enabling 2FA (Two-Factor Authentication) would add an extra layer of protection, Volexity explains that in this type of attack, it would not have mattered.

This is because of the entry point the attackers had in the system. If 2FA was enabled, attackers only had to modify their JS code to perform a session cookie hijacking instead, or by hijacking the 2FA token itself.

This is the second major exploitation of Cisco's infrastructure in the past month, after unknown hackers implanted malicious firmware on a series of Cisco routers using an attack known as SYNful Knock.

This is certainly not a resource you want an attacker to gain access to

Cisco WebVPN login page
Cisco WebVPN login page

Photo Gallery (2 Images)

Backdoor in Cisco WebVPN allows hackers to steal passwords
Cisco WebVPN login page
Open gallery