Since March 2023, there has been an increase in breaches of organizations through Cisco ASA SSL VPN appliances by affiliates of the Akira and LockBit ransomware operators. These cybercriminals have been exploiting weak or default passwords, as well as conducting targeted brute-force attacks.
Researchers at Rapid7 have been investigating these incidents and have found that compromised appliances were at different patch levels. In addition, the logs indicate that the attacks were automated, with numerous failed login attempts occurring within milliseconds of each other. The usernames used in these attempts, such as “admin,” “kali,” “cisco,” “guest,” “test,” and “security,” suggest that brute-forcing was involved.
It has been observed that some of the usernames used in the login attempts belonged to actual domain users. This raises the possibility that these credentials may have been compromised in earlier attacks and sold on the dark web. In fact, researchers have come across a manual sold on underground forums by a well-known initial access broker in early 2023. The manual claims to have compromised thousands of Cisco SSL VPN services and Fortinet VPN services using the username/password combination “test:test.” The timing of this manual’s availability coincides with the increase in brute-force attacks targeting Cisco ASA VPNs.
In response to these incidents, Cisco and Rapid7 have provided advice for organizations to better protect their VPN devices. They recommend implementing multi-factor authentication (MFA) for all users and enabling logging on these devices to gain more insight into any suspicious activity. Rapid7 researchers highlight that nearly 40% of all incidents their managed services teams responded to in the first half of 2023 resulted from a lack of MFA on VPNs or virtual desktop infrastructure.
The Arctic Wolf Incident Response (IR) team also noticed a similar pattern in July 2023 while responding to multiple Akira ransomware intrusions. They discovered that the majority of victim organizations did not have MFA enabled on their VPNs. These findings further emphasize the importance of implementing MFA as a security measure.
Furthermore, organizations are advised to disable default accounts, reset default passwords, promptly patch appliances, and monitor logs for patterns in failed authentication attempts. By staying updated on the tactics, techniques, and procedures (TTPs) employed by attackers, organizations can better defend against them and safeguard their assets.
In conclusion, the breach of organizations through Cisco ASA SSL VPN appliances by affiliates of the Akira and LockBit ransomware operators has become a concerning trend since March 2023. The exploitation of weak passwords and the use of brute-force attacks highlight the need for organizations to implement multi-factor authentication and regularly update their security measures. By following the recommendations provided by Cisco and Rapid7, organizations can mitigate the risk of such breaches and protect their valuable assets.