Exploiting Web-Based VPN for Remote Access
According to the security firm Volexity, attackers have been modifying web-based VPN login pages to steal employee credentials in order to access internal corporate resources, targeting organizations in the medical, think tank, higher education, electronics and manufacturing verticals.
Specifically, their blog addresses how attackers are targeting the Cisco Clientless SSL VPN enabled on Adaptive Security Appliance (ASA) devices. While users can log into company networks and resources via these Virtual Private Networks (VPNs), they can also be used by attackers for the same remote access.
Attackers appear to be leveraging a vulnerability in the Cisco Clientless SSL VPN portal, CVE-2014-3393, as far back as last November. This vulnerability could allow a remote attacker to modify the content of the portal’s page, letting them steal credentials, launch cross-site scripting (XSS) attacks, and many other types of attacks.
Why modification? Cisco’s VPN includes a feature that allows administrators to customize the look of the VPN portal page for their users, which they may want to do in order to follow the organization’s brand style guidelines. Designing a third-party app or login form to match your company’s design can cut down on user confusion.
To do this, admins can edit a customization template, which lets them use a text editor or XML editor to edit the XML file and add certain tags, such as those for different languages, background and font colors, body text, logos, etc.
Or, admins can use their own custom login screens by leveraging Cisco’s full customization feature, which lets them provide the HTML for their own login screen and insert Cisco HTML code to call on the login form function.
But as Volexity’s blog noted, Cisco released a notice early this year about the vulnerability, stating that attackers could leverage the customization feature to exploit the improper implementation of authentication checks in the Clientless SSL VPN portal customization framework.
When modified or customized, an admin can use a preview button available to view their changes, accessible via the web-based Cisco Adaptive Security Device Manager (ASDM), the interface admins use to manage Cisco appliances and modules. Once previewed, a unique identifier is created and used as a session cookie, as well as a folder on the system that contains the content of the customization.
Cisco provided updated software to address the vulnerability, but many vulnerable organizations were slow to update, and, by that time, attackers were already using the exploit in the wild, according to Volexity.
But some attackers did not need to use this known vulnerability in order to access the Cisco administrator settings and modify the pages - they were able to use legit credentials from organizations by deploying key loggers or data dumps, or just by guessing common admin passwords.
In the case of this specific Cisco exploit, Volexity explained that two-factor authentication would not have mitigated the risk involved in malicious code injection, as an attacker could potentially hijack a user’s auth attempt and then reuse the token to access their account, preventing the user from logging in.
The code could also be modified to steal session cookies after a user has authenticated in already - the attacker could leverage the same session as an active user.
However, they still recognize that “leveraging two-factor authentication on VPNs is a must for organizations.” If an attacker is attempting to steal login information, two-factor authentication can provide another layer of protection in order to secure VPNs and other applications. Learn more about in The Essential Guide to Securing Remote Access or our Two-Factor Authentication Evaluation Guide.