Hacking campaign bruteforces Cisco VPNs to breach networks

Hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks that take advantage of lapses in security defenses, such as not enforcing multi-factor authentication (MFA).

Last week, BleepingComputer reported that the Akira ransomware gang was breaching Cisco VPNs for initial network access.

Rapid7 security researchers have provided additional insights regarding these incidents in a report published on Tuesday, revealing that attackers have been directing their efforts towards these devices since March of this year in brute force attacks designed to guess the targets' login credentials.

They also said that they're yet to detect any instances where the threat actors behind these attacks have circumvented properly configured MFA to breach Cisco VPNs.

This confirms an advisory from Cisco's Product Security Incident Response Team (PSIRT) published two days after BleepingComputer's report regarding attackers using automated tools to target Cisco VPNs in brute-force and password-spraying attacks.

"In the reported attack scenarios, the logging was not configured in the affected Cisco's ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs," Cisco PSIRT Principal Engineer Omar Santos said.

"If a threat actor successfully gains unauthorized access to a user's VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN."

Rapid7 also revealed that at least 11 customers were breached in Cisco ASA-related attacks between March 30 and August 24, with the breaches linked to compromised SSL VPNs.

In most incidents investigated by Rapid7, the malicious actors tried to log into ASA appliances using usernames spanning common ones, ranging from admin, guest, kali, and cisco to test, printer, security, and inspector.

Rapid7 also said that most of the attacks utilized similar infrastructure, with the threat actors connecting from a Windows device named 'WIN-R84DEUE96RB' and using the 176.124.201[.]200 and 162.35.92[.]242 IP addresses.

After breaching the VPN appliances, the attackers remotely accessed the victims' networks using the AnyDesk remote desktop software and compromised other systems using domain credentials stolen after dumping the NTDS.DIT Active Directory database.

Some breaches led to LockBit and Akira ransomware attacks

"Several incidents our managed services teams have responded to ended in ransomware deployment by the Akira and LockBit groups," Rapid7 said.

"These incidents reinforce that use of weak or default credentials remains common, and that credentials in general are often not protected as a result of lax MFA enforcement in corporate networks."

As BleepingComputer reported, a private SentinelOne WatchTower report suggests that Akira operators might be leveraging an undisclosed vulnerability within Cisco VPN software that could allow the attackers to bypass authentication on systems lacking multi-factor authentication (MFA) protection.

While analyzing leaked data, SentinelOne threat analysts also uncovered evidence of Akira's exploitation of Cisco VPN gateways.

Admins and security teams are advised to deactivate default accounts and passwords to block brute-force attempts targeting their VPN systems.

Furthermore, they should ensure that MFA is enforced for all VPN users and that logging is enabled on all VPNs to help with attack analysis if needed.