iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
For the last few months, a range of threat actors have been targeting poorly configured Cisco ASA SSL VPN appliances.
Researchers at Rapid7 have observed the activity ramping up since at least March 2023, which in some cases has seen ransomware deployed on a number of networks.
According to the researchers, “there is no clear pattern among target organisations or verticals” and even the methods of attack are varied. Some threat actors are using credential stuffing attacks to take advantage of weak passwords, while others are using more brute force techniques, especially on appliances that do not have multi-factor authentication enabled, or where there are MFA bypass groups in use.
Victims range from small to large organisations and the industries impacted include the oil and gas sectors, healthcare, and manufacturing.
Between March and August, Rapid7 has observed 11 of its customers experiencing “Cisco ASA-related intrusions”. Additionally, Rapid7 could not pin down the activity to a particular patch version, either – the vulnerability seems to affect appliances across the board.
Attack behaviour seems varied but there are some points of commonality. The Windows clientname “WIN-R84DEUE96RB” seems to pop up frequently in related malicious infrastructure, and there is even some overlap in accounts being used to authenticate access.
In some cases, login attempts are successful on the first try, while others are rapidly repeated after each failed attempt. Some of the most common usernames observed are admin, adminadmin, backupadmin, developer, and ftp user – suggesting a brute-force approach.
Once inside a system, threat actors have been seen deploying remote desktop applications, before moving laterally and executing further binaries. Both the Akira and LockBit ransomware groups have been seen operating in this fashion.
Rapid7’s researchers believe the increase in attacks could be related to a guide to “breaking into corporate networks” that was first seen circulating on the darknet in February 2023. As it has continued to be shared, the number of ASA-based has clearly trended upward.
“Rapid7 obtained a leaked copy of the manual and analysed its content,” the researchers said in a blog post. “Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination ‘test:test’.
“It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”
Cisco has been working with Rapid7 to investigate the incidents.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
