Hackers Compromise Cisco Web

 

Cisco is being targeted by attackers looking for a permanent way into the computer networks and systems of various organizations, Volexity researchers warn.

"The Cisco Clientless SSL VPN (Web VPN) is a web-based portal that can be enabled on an organization’s Cisco Adaptive Security Appliance (ASA) devices," the researchers explained. "Once a user is authenticated to the Web VPN, based on the permissions the user has, they may be able to access internal web resources, browse internal file shares, and launch plug-ins that allow them into internal resources."
 
The attackers are either leveraging a vulnerability in the product, or managing to gain administrator access in other ways, but the end goal is the same: to implant JavaScript code on the login pages to the VPN in order to harvest employee credentials.

The aforementioned vulnerability (CVE-2014-3393) has been patched over a year ago. Nevertheless, organizations have been slow in implementing the fix, and attackers are taking advantage of the flaw.

The malicious, data stealing JavaScript injected in the Cisco Web VPN login page of targeted organizations is usually hosted on legitimate but compromised sites, and is "pulled" from them each time the portal is accessed by a user.

According to the researchers, spotted attacks were made against medical and academic institutions, electronics/manufacturing businesses, as well as think tanks, NGOs, and governments.

"Volexity knows it is 100% possible and surmises it may be likely in some cases that the attackers leveraged credentialed administrative access to a Cisco ASA appliance in order to modify the login page," the researchers noted, and explained that this can be done via the Cisco Adaptive Security Device Manager (ASDM), a Java administrative interface for Cisco firewalls that can be accessed via a web browser. 

"Access to the devices ASDM should be restricted through access control lists (ACLs) as tightly as possible. At minimum, this is not an interface that should be open to the Internet. Attackers that are able to access this interface by having access to a victim’s environment or due to an ACL misconfiguration can easily modify code that is loaded via the Cisco Web VPN login page," they noted.

Unfortunately, two-factor authentication would not help prevent this particular attack, as the attackers could easily modify the code of the login page in order to steal session cookies (amazingly enough, Cisco Web VPN does not disconnect one of two users with the same authenticated session), or steal and reuse the authentication token.

As this type of attack against network devices is difficult to spot with the usual security tools and measures, administrators would do well to make sure to often check networking gear for indicators of compromise.

Less than a month ago FireEye researchers discovered malicious router implants on Cisco routers around the world, opening a permanent entry point into target networks.

"Firewalls, network devices, and anything else an attacker might be able to gain access to should be scrutinized just as much as any workstation or server within an organization," the researchers commented.
Net-Security: http://bit.ly/1Mm6K6k

 

« Germany Will Make Telecoms Companies Disclose Data To Police.
The Arrival of Algorithmic Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

Panorays

Panorays

Panorays automates third-party security lifecycle management. It is a SaaS-based platform, with no installation needed.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

BlackCloak

BlackCloak

BlackCloak provides Concierge Cyber Security for high-net-worth individuals and corporate executives to protect them from cybercrime, reputational risks, hacking and identity theft.

NuID

NuID

NuID is a pioneer in trustless authentication and decentralized digital identity.

OwnZap Infosec

OwnZap Infosec

OwnZap Infosec aims to digitally shield the cyberspace by offering services like Penetration Testing and Red Teaming, Infrastructure Security Testing, and Vulnerability Assessments.

Silicon Labs

Silicon Labs

Silicon Labs are a leader in secure, intelligent wireless technology for a more connected world. We provide award-winning hardware and software security to help safeguard connected devices.

Allentis

Allentis

Allentis provide adapted solutions to ensure the security and performance of your information system.

Iconium Software

Iconium Software

DataLenz by Iconium offers continuous and real-time tracking of your data assets delivering you the tools you need to successfully reach and maintain your target security standards.

Secora Consulting

Secora Consulting

Secora Consulting is a professional services company specialising in tailored cybersecurity assessments and cyber advisory services.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.