Cyber Security Threat Summary:
Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

Cisco’s Product Security Incident Response Team (PSIRT), confirmed last week that they’ve been seeing instances where attackers seem to be targeting organizations that have not configured MFA for their VPN users. Since March, Rapid7’s incident responders have investigated eleven incidents involving Cisco ASA-related intrusions.

Security Officer Comments:
The usernames in login attempts belonged to actual domain users. It’s also possible that the credentials were compromised in earlier attacks and sold on the dark web. The researchers have analyzed a manual sold on underground forums by a well-known initial access broker in early 2023, who claims to have compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

Suggested Correction(s):
Both Cisco and Rapid7 have advised organizations to protect access to their VPN devices with MFA for all users and to definitely set up logging on those devices, to have more insight into what’s happening on them. Rapid7 urged organizations to disable default accounts, reset default passwords, promptly patch appliances, and monitor logs for patterns in failed authentication attempts. Keeping up to date with additional tactics, techniques, and procedures (TTPs) used by attackers, as well as setting up defenses to block and/or spot them being employed, is paramount to keeping organizational assets secure.

Link(s):
https://www.helpnetsecurity.com/2023/08/31/ransomware-cisco-vpn/