September 12 Update
Cisco released a security advisory linking this attack to vulnerability CVE-2023-20269, which “improperly separates authentication, authorization, and accounting (AAA) between the remote access VPN feature and HTTPS management and site-to-site VPN features.” This vulnerability applies to Cisco ASA software and the Cisco Firepower Threat Defense (FTD) software.
CVE-2023-20269 allows an attacker to send authentication requests to the interface for web access to the device. While the VPN access only allows a limited number of login attempts, the web access allowed for a brute force attack resulting in identifying valid credentials or establishing a clientless SSL VPN session (Cisco ASA 9.16 or earlier).
Mitigations: While there is not currently a patch for the vulnerability, here are workarounds provided by Cisco:
- Set up a dynamic access policy (DAP) to terminate VPN tunnels using DefaultADMINGroup or DefaultL2LGroup groups
- Deny VPN access with Default Group Policy (DfltGrpPolicy)
- Lock users in the LOCAL user database to a single profile with “group-lock”
- Disable Remote Access VPNs sessions for users that don’t require it
As of September 1
Rapid7 and Cisco have uncovered a noticeable increase in threat activity aimed at Cisco ASA SSL VPN appliances. The observations date back to at least March 2023 and involve the targeting of accounts with weak or default passwords and those with insufficient enforcement of multi-factor authentication (MFA). The attacks have resulted in a number of intrusions.
Several of these incidents culminated in the deployment of ransomware by the notorious Akira and LockBit groups. The affected entities spanned various industries, including healthcare, professional services, manufacturing, and oil and gas, suggesting a focus on exploiting ASA appliances rather than specific organizations. Cisco has also published a blog post that closely aligns with Rapid7’s findings.
The compromised ASA appliances exhibited a range of patch levels, indicating that no specific version was particularly prone to exploitation. Within these intrusions, Rapid7 uncovered patterns in indicators of compromise that hint at multiple attacks from the same group or the possible use of shared infrastructure for conducting the attacks.
Attackers repeatedly attempted logins using usernames such as “admin,” “cisco,” or “guest,” strongly suggesting the utilization of brute-force tools. Additionally, signs of automated attacks were evident through the occurrence of failed login attempts within milliseconds of each other. Upon successful authentication, the attackers deployed tools that facilitated lateral movement. This included the installation of the AnyDesk remote desktop application and the execution of binary files.
Rapid7 also noted their discovery of a guide to breaching corporate networks available for purchase on the dark web. The manual includes sections on brute forcing SSL VPNs, and its author claimed to have compromised thousands of Cisco SLL VPN and Fortinet VPN services. This publication could have potentially contributed to the surge in attacks against Cisco ASA VPNs, said the company.
Organizations are advised to disable default accounts or ensure default passwords have been reset, implement MFA for all VPN users, closely monitor VPN logs for irregular activities, and ensure that VPNs and other gateway devices are updated with the latest security patches.
Bytes & Insights: The Key Takeaways
In Summary: Rapid7 and Cisco have uncovered a surge in attacks targeting Cisco ASA SSL VPN appliances, dating back to March 2023. These attacks, exploiting weak passwords and the lack of multi-factor authentication, have led to multiple intrusions, several of which have resulted in deployment of Akira and LockBit ransomware.
Why It Matters: As attacks targeting Cisco ASA SSL VPN appliances increase, MSPs and their clients can implement several mitigation steps. Disabling default accounts, implementing comprehensive multi-factor authentication (MFA) protocols for all VPN users, and maintaining vigilant monitoring of VPN logs for unusual activities are recommended. These measures not only bolster protection against this specific threat but also enhance a company’s overall cyber resilience.