Virtual private network (VPN) connections can provide a false sense of security, and two separate and newly discovered attack campaigns exploiting the much-vaunted corporate channel serve as a wakeup call for how attackers can abuse and use VPNs.
Researchers at Volexity have witnessed attackers going after the corporate VPN by altering the login pages to Cisco Systems' Web-based VPN, Clientless SSL VPNs via JavaScript code injected into the login pages in order to pilfer corporate user credentials at the VPN login phase. It's all in the name of the "P" in APT: "persistence."
Meanwhile, enSilo researchers spotted a cyber espionage attack using a remote access Trojan (RAT) that among other things allows an attacker to log into a machine it infects using the user's legitimate credentials. The so-called Moker RAT disables and sneaks past antivirus, sandboxes, and virtual machine-based tools, as well as Microsoft Windows' User Access Control (UAC) feature.
Moker, which attaches itself to the Windows operating system and poses as a legitimate OS process, can be used by the attacker to operate "locally," according to enSilo. "Consider a scenario where the attacker logs on to the infected machine using the VPN credentials of a legitimate user. In that case, the attacker connects to the machine from remote – but locally controls Moker," says Yotam Gottesman, a senior security researcher at enSilo. "The attacker can then perform all the cyber espionage activities one imagines a RAT doing such keylogging, taking screenshots, monitoring Web traffic – and even altering it."
Read the rest of the article at Dark Reading.