October 3, 2023

Hackers have targeted Cisco Adaptive Security Appliance (ASA) SSL VPNs using a combination of brute-force attacks and credential stuffing. Since March 2023, affiliates of the Akira and LockBit ransomware operators have been breaching organizations.

These attacks have taken advantage of security vulnerabilities, particularly the absence of robust MFA measures. The incidents have sparked concerns about the security of remote network access for organizations worldwide.

A significant surge in threats directed at Cisco ASA SSL VPN devices, encompassing both physical and virtual instances. Cyber threat actors have predominantly taken advantage of vulnerabilities stemming from weak passwords and targeted brute-force attacks on ASA appliances that lack MFA. These exploitations have resulted in a series of incidents marked by the deployment of ransomware by various groups, including Akira and LockBit.

Advertisements

Rapid7’s incident responders have investigated eleven incidents involving Cisco ASA-related intrusions and found that:

  • Compromised appliances were at different patch levels
  • Logs point to automated attacks (many failed login attempts occurring within milliseconds of one another)
  • Usernames used in those attempts – adminkaliciscoguesttestsecurity, etc. – point to brute forcing

Several cases, the usernames in login attempts belonged to actual domain users. It’s also possible that the credentials were compromised in earlier attacks and sold on the dark web.

The researchers have analyzed a manual underground forums by a well-known initial access broker in early 2023, who claims to have compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

Researchers observed that attackers often connected from a Windows device with the name ‘WIN-R84DEUE96RB’ and frequently used IP addresses 176.124.201[.]200 and 162.35.92[.]242.

Advertisements

As these attacks demonstrate, weak or default  credentials are commonly exploited, underscoring the importance of stringent MFA implementation in corporate networks. Admins and security teams should prioritize securing their VPN systems against these evolving threats.

Several mitigations to address these vulnerabilities:

  • Disable Defaults: Deactivate default accounts and passwords to thwart brute-force attempts.
  • Enforce MFA: Ensure strong MFA enforcement for all VPN users.
  • Enable Logging: Activate logging for VPNs to aid in attack analysis.
  • Monitor for Anomalies: Regularly review VPN logs for unusual authentication activities.
  • Stay Patched: Keep VPN, VDI, and gateway devices updated with the latest patches.

Leave a Reply

%d bloggers like this: