Hackers Compromise Cisco Web

Uploaded on 2015-10-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

 

Cisco is being targeted by attackers looking for a permanent way into the computer networks and systems of various organizations, Volexity researchers warn.

"The Cisco Clientless SSL VPN (Web VPN) is a web-based portal that can be enabled on an organization’s Cisco Adaptive Security Appliance (ASA) devices," the researchers explained. "Once a user is authenticated to the Web VPN, based on the permissions the user has, they may be able to access internal web resources, browse internal file shares, and launch plug-ins that allow them into internal resources."
 
The attackers are either leveraging a vulnerability in the product, or managing to gain administrator access in other ways, but the end goal is the same: to implant JavaScript code on the login pages to the VPN in order to harvest employee credentials.

The aforementioned vulnerability (CVE-2014-3393) has been patched over a year ago. Nevertheless, organizations have been slow in implementing the fix, and attackers are taking advantage of the flaw.

The malicious, data stealing JavaScript injected in the Cisco Web VPN login page of targeted organizations is usually hosted on legitimate but compromised sites, and is "pulled" from them each time the portal is accessed by a user.

According to the researchers, spotted attacks were made against medical and academic institutions, electronics/manufacturing businesses, as well as think tanks, NGOs, and governments.

"Volexity knows it is 100% possible and surmises it may be likely in some cases that the attackers leveraged credentialed administrative access to a Cisco ASA appliance in order to modify the login page," the researchers noted, and explained that this can be done via the Cisco Adaptive Security Device Manager (ASDM), a Java administrative interface for Cisco firewalls that can be accessed via a web browser. 

"Access to the devices ASDM should be restricted through access control lists (ACLs) as tightly as possible. At minimum, this is not an interface that should be open to the Internet. Attackers that are able to access this interface by having access to a victim’s environment or due to an ACL misconfiguration can easily modify code that is loaded via the Cisco Web VPN login page," they noted.

Unfortunately, two-factor authentication would not help prevent this particular attack, as the attackers could easily modify the code of the login page in order to steal session cookies (amazingly enough, Cisco Web VPN does not disconnect one of two users with the same authenticated session), or steal and reuse the authentication token.

As this type of attack against network devices is difficult to spot with the usual security tools and measures, administrators would do well to make sure to often check networking gear for indicators of compromise.

Less than a month ago FireEye researchers discovered malicious router implants on Cisco routers around the world, opening a permanent entry point into target networks.

"Firewalls, network devices, and anything else an attacker might be able to gain access to should be scrutinized just as much as any workstation or server within an organization," the researchers commented.
Net-Security: http://bit.ly/1Mm6K6k

 

« Germany Will Make Telecoms Companies Disclose Data To Police.
The Arrival of Algorithmic Business »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DCL Search & Select

DCL Search & Select

DCL Search & Selection connect candidates to the best companies in the IT Security, Telco, UC, Outsourcing, ERP, Audit & Control markets.

Nuix

Nuix

Nuix specialise in extracting knowledge from unstructured data. Applications include Digital Forensics, Cybersecurity Intelligence, Information Governance, eDiscovery.

PrimaTech

PrimaTech

PrimaTech provide process safety, cyber and process security, and risk management consulting, training and software for the process industries.

Visual Guard

Visual Guard

Visual Guard is a modular solution covering most application security requirements, from application-level security systems to Corporate Identity and Access Management Solutions.

NT Cyfence

NT Cyfence

CAT Cyfence is the IT Security services business unit of CAT Telecoms.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

Digi International

Digi International

Digi is a leading global provider of mission-critical and business-critical machine-to-machine (M2M) and Internet of Things (IoT) connectivity products and services.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

UKsec: Virtual Cyber Security Summit

UKsec: Virtual Cyber Security Summit

Join 100s of UK Cyber Security Leaders Online for Expert Cyber Security Talks, Strategy Insights, Cyber Resilience Tips and More.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

Axur

Axur

Discover and eliminate digital fraud and risks on the web. Utilize Axur’s entire AI potential, along with thousands of bots dispersed throughout the surface web as well as the deep and dark web.

Orbis Cyber Security

Orbis Cyber Security

Orbis is one of the leading cybersecurity company in USA. Our cybersecurity specialist defends your data, combat threat, and modernize your compliance.

Computer Futures

Computer Futures

Computer Futures are a global specialist IT recruitment partner, matching candidates with roles across niche IT markets and core technologies.

Point Wild

Point Wild

Point Wild is a holding company that acquires, integrates and manages a diverse portfolio of best-in-class cybersecurity brands for consumers and enterprises.

Claratti

Claratti

Clarrati are a team of innovators. Industry leaders in the cloud computing, remote working, and work-from-home space. We partner with you to empower your business for the future.