Cisco VPNs are currently being targeted by ransomware actors, including the groups known as Akira and LockBit, according to a security advisory by Cisco and new research conducted by Rapid7.
On August 24, Cisco disclosed the attacks against its VPNs through an advisory written by Omar Santos, who is the principal engineer of Cisco’s Product Security Incident Response Team. Santos stated that the Akira ransomware threat actors were specifically targeting Cisco VPNs that lacked multifactor authentication (MFA) configurations.
Although the advisory did not provide many technical details, Santos mentioned that the attackers most likely gained access to the VPNs through brute-forcing or by purchasing stolen credentials from the dark web. He also pointed out that in the reported attacks, logging was not properly configured, making it difficult to determine exactly how the Akira ransomware attackers were able to access the VPNs.
Additional technical insight into these attacks was provided by Rapid7, which was credited by Cisco for assisting in the investigation. In a research report published on Tuesday, Rapid7 revealed that they had been tracking ransomware attacks against Cisco Adaptive Security Appliance (ASA) SSL VPN devices since at least March. The security vendor observed adversaries conducting credential-stuffing and brute-force attacks against organizations that did not have fully enforced MFA configurations.
Rapid7 stated that they had identified at least 11 customers who experienced intrusions related to Cisco ASA devices between March 30 and August 24, 2023. They found that the malicious activity originated from ASA appliances that were servicing SSL VPNs for remote users. Patch versions of the compromised appliances varied, indicating that there was no specific version that was more susceptible to exploitation.
Furthermore, Rapid7 reported that several of these incidents resulted in the deployment of ransomware by both the Akira and LockBit groups. Akira is a relatively new ransomware gang that was first identified in March 2023, while LockBit has been known as one of the major players in the ransomware landscape for some time.
During their investigation, Rapid7 monitored underground forums and Telegram channels for discussions related to the intrusions targeting Cisco ASA devices. Their threat intelligence teams discovered that a well-known initial access broker named “Bassterlord” was selling a guide for breaching corporate networks. Rapid7 managed to obtain a leaked copy of the guide, which included references to Cisco SSL VPNs.
Interestingly, the guide claimed that the author had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services using the username/password combination “test:test.” Rapid7 speculated that the timing of the dark web discussion and the increased threat activity they observed could be attributed to the manual’s instructions, which likely contributed to the rise in brute-force attacks targeting Cisco ASA VPNs.
TechTarget Editorial has reached out to Cisco for additional comments on the matter.
In conclusion, Cisco VPNs are currently under attack by ransomware actors, with the Akira and LockBit groups being the primary culprits. The attacks exploit VPNs that lack proper multifactor authentication and involve methods such as brute-forcing and purchasing stolen credentials. Rapid7’s research provides valuable insights into the nature of these attacks, including the involvement of a well-known initial access broker and the use of leaked guides to compromise corporate networks. As the situation continues to unfold, it is crucial for organizations to ensure the security of their VPNs and implement strong authentication measures to protect against these threats.