Hackers have begun infecting a widely used virtual private network (VPN) product sold by Cisco Systems and attackers have begun installing backdoors on these very product to steal customer usernames and passwords used to login to the networks, security researchers reported.
A security researcher from security firm Volexity reported that he was currently aware of about a dozen attacks that have successfully infected Cisco’s Clientless SSL VPN, but suspects the number to be much higher. Attacks appear to be carried out by numerous hackers that have been abusing two main entry points. Once hackers gain backdoor access, they can operate silently for months and steal sensitive credentials on and transferred through the network.
Cisco’s Clientless SSL VPN is a product that works with Cisco’s Adaptive Security Appliance. Once users have properly authenticated themselves on the network, the web-based VPN allows employees to access internal files along with launch plug-ins, allowing them access to other internal resources through telenet, SSH or other network protocols.
“This is certainly not a resource to which you want an attacker to gain access,” Volexity researchers wrote in a blog post published Wednesday. “Unfortunately, Volexity has found that several organizations are silently being victimized through this very login page.”
These reports come just a month after researchers from another security firm detected active and highly stealth attacks abusing network routers that Cisco provides. The backdoors were implanted on at least 79 routers spanning 19 countries, 25 of which were hosted in the USA.
Volexity researchers said the backdoor can be installed through at least two different entry points. The first being a critical vulnerability that resides in the Clientless SSL VPN that Cisco patched over a year ago. Attackers other point of entry relies on the hackers gaining administrator access on the machine and abusing it to drop malicious code.
A Cisco spokesperson said company officials are aware of issue Volexity reported while thanking their researchers for bringing awareness to patches they released 12 months ago. The Cisco official said that customers can best protect themselves from such threats by deploying the best firewall practices.
Volexity researchers released several suggestions for detecting and removing the backdoors and VPN infections. Since the backdoors easily evade antivirus software, intrusion prevention systems along with other security measures should actively be put in place while administrators should routinely ensure there are no signs of compromise.