Pierluigi Paganini
August 31, 2023
Cisco is aware of attacks conducted by Akira ransomware threat actors targeting Cisco ASA VPNs that are not configured for multi-factor authentication.
“Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.” reads a post published by Cisco PSIRT.
“This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user’s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.”
Cisco has been actively investigating the hacking campaign with the help of Rapid7. Rapid7 researchers have observed increased threat activity targeting Cisco ASA SSL VPN appliances dating back to at least March 2023.
“Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023.” reads report published by Rapid7.
Threat actors are conducting credential stuffing and brute-force attacks targeting Cisco ASA (Adaptive Security Appliance) SSL VPNs.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The group now is targeting Cisco VPN products to gain initial access to corporate networks.
Sophos researchers observed in May the threat actor using compromised Cisco VPN accounts to breach target networks.
Bleeping Computer reported the information shared by the incident responder as ‘Aura’ on Twitter. Aura confirmed that threat actors targeted organizations using CISCO VPN appliances without MFA enabled.
BleepingComputer also reported that SentinelOne is investigating the possibility that the Akira ransomware group is exploiting an unknown vulnerability in the Cisco VPN software.
Rapid7 experts identified the Windows clientname WIN-R84DEUE96RB and the IP addresses 176.124.201[.]200 and 162.35.92[.]242 as part of the attackers’ infrastructure. The researchers also observed overlap in accounts used to authenticate into internal systems, some of these accounts are TEST, CISCO, SCANUSER, and PRINTER.
“Upon successful authentication to internal assets, threat actors deployed set.bat. Execution of set.bat resulted in the installation and execution of the remote desktop application AnyDesk, with a set password of greenday#@!.” cntinues the report. “In some cases, nd.exe was executed on systems to dump NTDS.DIT, as well as the SAM and SYSTEM hives, which may have given the adversary access to additional domain user credentials. The threat actors performed further lateral movement and binary executions across other systems within target environments to increase the scope of compromise.”
Several intrusions observed by Rapid7 led to Akira or LockBit ransomware infections.
Rapid7 published Indicators of compromise (IoCs) for these attacks.
Cisco customers could refer to the Cisco ASA Forensics Guide for First Responders to obtain instructions on how to collect evidence from ASA appliances.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco ASA)
