Cisco VPNs with no MFA enabled hit by ransomware groups

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances.

“In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

MFA makes attacks more difficult

Omar Santos, a principal engineer of Cisco’s Product Security Incident Response Team (PSIRT), confirmed last week that they’ve been seeing instances where attackers seem to be targeting organizations that have not configured MFA for their VPN users.

Since March, Rapid7’s incident responders have investigated eleven incidents involving Cisco ASA-related intrusions, and found that:

• Compromised appliances were at different patch levels
• Logs point to automated attacks (many failed login attempts occurring within milliseconds of one another)
• Usernames used in those attempts – admin, kali, cisco, guest, test, security, etc. – point to brute forcing

“In some cases, the usernames in login attempts belonged to actual domain users,” they added. It’s also possible that the credentials were compromised in earlier attacks and sold on the dark web.

The researchers have analyzed a manual sold on underground forums by a well-known initial access broker in early 2023, who claims to have compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

“It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs,” they pointed out.

Advice for organizations

Both Cisco and Rapid7 have advised organizations to protect access to their VPN devices with MFA for all users and to definitely set up logging on those devices, to have more insight into what’s happening on them.

“Nearly 40% of all incidents our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure,” Rapid7 researchers pointed out.

The Arctic Wolf IR team noticed something similar in July 2023, after responding to multiple Akira ransomware intrusions (mostly at small to medium-sized businesses): “The majority of victim organizations did not have multi-factor authentication enabled on their VPNs.”

Rapid7 also urged organizations to disable default accounts, reset default passwords, promptly patch appliances, and monitor logs for patterns in failed authentication attempts.

Keeping up to date with additional tactics, techniques, and procedures (TTPs) used by attackers, as well as setting up defenses to block and/or spot them being employed, is paramount to keeping organizational assets secure.