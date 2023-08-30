Hackers have been targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks. These attacks take advantage of security lapses, such as the absence of multi-factor authentication (MFA). The Akira ransomware gang was recently reported to have breached Cisco VPNs for initial network access. Additional insights regarding these incidents were provided by security researchers from Rapid7 in a report published on Tuesday.

According to the report, attackers have been focusing on Cisco devices since March of this year, launching brute-force attacks to guess login credentials. However, Rapid7 has not yet detected any instances where the threat actors were able to bypass properly configured MFA to breach Cisco VPNs. This supports an advisory from Cisco’s Product Security Incident Response Team (PSIRT), which stated that attackers have been using automated tools to target Cisco VPNs in brute-force and password-spraying attacks.

In most cases investigated by Rapid7, the malicious actors attempted to log into ASA appliances using common usernames, such as admin, guest, kali, and cisco, among others. The attacks also utilized similar infrastructure, with the attackers connecting from a Windows device named ‘WIN-R84DEUE96RB’ and using specific IP addresses.

Once the VPN appliances were breached, the attackers remotely accessed the victims’ networks using AnyDesk remote desktop software. They then compromised other systems by using domain credentials stolen after dumping the NTDS.DIT Active Directory database.

Some of the breaches resulted in ransomware attacks by the Akira and LockBit groups. This highlights the common practice of using weak or default credentials and the lax enforcement of MFA in corporate networks, leaving credentials vulnerable.

It is advisable for administrators and security teams to deactivate default accounts and passwords to block brute-force attempts on VPN systems. Additionally, MFA should be enforced for all VPN users, and logging should be enabled on all VPNs to aid in attack analysis if necessary.

Sources:

– BleepingComputer: [insert URL here]

– Rapid7: [insert URL here]

– Cisco PSIRT: [insert URL here]

– SentinelOne: [insert URL here]