Hacking campaign bruteforces Cisco VPNs to breach networks

Cybercriminals have set their sights on Cisco Adaptive Security Appliance (ASA) SSL VPNs, launching credential stuffing and brute-force attacks that exploit security vulnerabilities, particularly the absence of multi-factor authentication (MFA) enforcement.

In a recent development, the Akira ransomware gang gained initial network access by breaching Cisco VPNs, as reported by BleepingComputer.

Rapid7 security researchers have further shed light on these incidents in a report released on Tuesday. They disclosed that attackers have been focusing on these devices since March of this year, employing brute force attacks to guess login credentials.

Crucially, the researchers have not observed any instances where the threat actors behind these attacks have successfully bypassed properly configured MFA to compromise Cisco VPNs.

This corroborates an advisory from Cisco’s Product Security Incident Response Team (PSIRT) published shortly after BleepingComputer’s report. The advisory detailed attackers employing automated tools for targeting Cisco VPNs through brute-force and password-spraying attacks.

Cisco PSIRT Principal Engineer Omar Santos emphasized that, in the reported attack scenarios, the affected Cisco ASAs lacked proper logging configurations. This absence of logging has posed challenges in pinpointing precisely how the Akira ransomware attackers gained access to the VPNs.

“MFA serves as an additional layer of protection in the event that a threat actor successfully gains unauthorized access to a user’s VPN credentials, typically through means like brute force attacks. It acts as a deterrent, preventing threat actors from gaining unwarranted access to the VPN.”

Rapid7’s findings also unveiled that, between March 30 and August 24, at least 11 customers fell victim to breaches related to Cisco ASA. These breaches were linked to compromised SSL VPNs.

In most cases examined by Rapid7, the malicious actors attempted to log into ASA appliances using commonly used usernames, including admin, guest, kali, cisco, test, printer, security, and inspector.

Rapid7 also noted a recurring pattern in the attacks, with the threat actors connecting from a Windows device named ‘WIN-R84DEUE96RB’ and employing the IP addresses 176.124.201[.]200 and 162.35.92[.]242.

Upon successfully breaching the VPN appliances, the attackers gained remote access to the victims’ networks by utilizing the AnyDesk remote desktop software. They also proceeded to compromise additional systems by exploiting domain credentials acquired after extracting data from the NTDS.DIT Active Directory database.”

Some breaches led to LockBit and Akira ransomware attacks

Rapid7 reported that numerous incidents addressed by their managed services teams culminated in ransomware attacks perpetrated by the Akira and LockBit groups. These incidents serve as stark reminders of the persisting prevalence of weak or default credentials in use, often compounded by insufficient enforcement of multi-factor authentication (MFA) in corporate networks.

According to a private report from SentinelOne WatchTower, there are indications that Akira operators may be leveraging an undisclosed vulnerability within Cisco VPN software. This vulnerability could potentially enable attackers to circumvent authentication on systems lacking MFA protection.

While scrutinizing leaked data, SentinelOne’s threat analysts unearthed evidence of Akira’s exploitation of Cisco VPN gateways.

In light of these findings, administrators and security teams are strongly advised to take proactive measures. This includes deactivating default accounts and passwords to thwart brute-force attempts targeting their VPN systems. Furthermore, stringent enforcement of MFA for all VPN users is crucial, and enabling logging on all VPNs is recommended to facilitate thorough attack analysis when necessary.