In a recent surge of cyber threats, hackers have targeted Cisco Adaptive Security Appliance (ASA) SSL VPNs using a combination of brute-force attacks and credential stuffing.
These attacks have taken advantage of security vulnerabilities, particularly the absence of robust multi-factor authentication (MFA) measures. The incidents have sparked concerns about the security of remote network access for organizations worldwide.
Escalation of Threats
Starting from March 2023, specialized teams focused have observed a significant surge in threats directed at Cisco ASA SSL VPN devices, encompassing both physical and virtual instances. Cyber threat actors have predominantly taken advantage of vulnerabilities stemming from weak passwords and targeted brute-force attacks on ASA appliances that lack multi-factor authentication (MFA). These exploitations have resulted in a series of incidents marked by the deployment of ransomware by various groups, including Akira and LockBit.
Attack Tactics
Key findings following the analysis of the attacks highlight several common tactics used by threat actors:
- Weak Credentials: The attackers have targeted a range of default and common usernames, including “admin,” “guest,” “kali,” “cisco,” and others.
- Infrastructure Patterns: Researchers observed that attackers often connected from a Windows device with the name ‘WIN-R84DEUE96RB’ and frequently used IP addresses 176.124.201[.]200 and 162.35.92[.]242.
Strategies for Mitigation – A Word from Heimdal®
As these attacks demonstrate, weak or default credentials are commonly exploited, underscoring the importance of stringent MFA implementation in corporate networks. Admins and security teams should prioritize securing their VPN systems against these evolving threats.
Our security experts recommend several mitigations to address these vulnerabilities:
- Disable Defaults: Deactivate default accounts and passwords to thwart brute-force attempts.
- Enforce MFA: Ensure strong MFA enforcement for all VPN users.
- Enable Logging: Activate logging for VPNs to aid in attack analysis.
- Monitor for Anomalies: Regularly review VPN logs for unusual authentication activities.
- Stay Patched: Keep VPN, VDI, and gateway devices updated with the latest patches.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.