Researchers identified a flaw in Cisco’s WebVPN — Hackers managed to install backdoors via two methods on the service — This weakness allows hackers to steal corporate account passwords when employees logged into their accounts.
The procedure involved performing a standard XSS attack at the Logon.html page. The page where corporate users enter their username/password combos.
This can be termed as the second major exploitation of infrastructure at Cisco in the past month when unknown hackers installed a malicious firmware in Cisco’s routers via SYNful Knock attack.
In February 2015, this bug was fixed but not all of the companies updated their services or equipment and therefore, hackers kept on benefitting from this weakness and HTTPS-protected JS files were used to install the backdoor.
Volexity Researchers Explain the Issue:
This snippet was taken from a public scripts-sharing website. Its identification was difficult because the JS file was hidden immaculately via an encrypted connection, which was loaded via HTTPS.
The XSS-HTTPS method presumably has been used for the first time. The second time, the process became a bit complex.
If hackers had compromised the corporate networks they could have easily installed the backdoor using the WebVPN administrative interface, which seems an unlikely scenario.
Volexity researchers noticed that the backdoors are easily and actively exploited.
Various organizations from prominent fields such as medical, NGO, electronics, manufacturing and academic have already been targeted by hackers, said the Volexity team.
They also believe that 2FA (two-factor authentication) if enabled would add an extra layer of protection, but in this kind of an attack it didn’t matter as hackers have already created an entry point into the system.
However, if 2FA was enabled, only the JS code would need to be modified to perform a session cookie hijacking or the 2FA token instead would need to be hijacked.