Hi, it’s Shusei Tomonaga again from the Analysis Center. JPCERT/CC has confirmed several attack cases around May 2015, which attempt to steal information of computers leveraging specific network devices featuring VPN server functions. The target of the reconnaissance varies from installed software to keylogs, and it is presumed that the attacker has aimed to steal such information from computers which attempt to login to VPN servers through altered login pages. In this post, I’d like to introduce the details of the attack and effective countermeasures you may take.
OVERVIEW OF ATTACK
ALTERED VPN SERVER LOGIN PAGES
Through our analysis, we confirmed that login pages of specific network devices with VPN server functions were altered in several cases. As of now, we have not been able to specify the method of alteration, but there is possibility that a network device vulnerability was leveraged.
The altered login page was embedded with a script tag as shown in Figure 2. When the user accesses the Web SSL VPN login page via the browser, the user is unknowingly entrapped into the Scanbox due to this script.
Table 1 lists Scanbox’s information collection function which we confirmed in this attack.
|1||Software Scan||Information of installed software (anti-virus software, Windows patch, etc.)|
|2||Flash Scan||Adobe Flash Player versions|
|3||Office Scan||Microsoft Office versions|
|4||Adobe reader scan||Adobe Reader installation status|
|5||FireFox Extentions scan||Firefox and plugin installation status|
|6||Java scan||Java versions|
|7||IP scan||IP address information (function for Chrome)|
|8||Keylogs||Keystrokes within the browser (sent every 5 seconds)|
|9||Ip list||IP address information HTTP_X_FORWARDED_FOR|
|10||Drives scan||Drive information|
Furthermore, Scanbox has a Web interface for the attacker to analyze the collected information. As shown in Figure 3, the collected information can be browsed on the Website. Information collected by Scanbox can also be customized from the Website as shown in Figure 4.
As of now, the method of the VPN server login page alteration is unknown. However, we presume that there is high possibility that a known vulnerability was leveraged, so we recommend users to apply patches and update firmware. We also recommend users to check if there are any scripts that are unintentionally embedded in the login pages.
Although attacks using Scanbox do not involve malware infection, it needs caution as it steals computer information and information entered in the browser. There is possibility that the attacker is planning for the next phase of attack based on the collected information, therefore, it is necessary to endeavor to detect the attack in an early stage, as well as to keep a close watch over the attacker’s next move and to strengthen protection against it.
Thank you for reading and see you again.
- Shusei Tomonaga
 AlienVault - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks