Cisco VPNs under attack via Akira, LockBit ransomware

Cisco VPNs are under attack by ransomware actors including Akira and LockBit, according to a security advisory from the networking vendor as well as new research from Rapid7.

Cisco disclosed on Aug. 24 attacks against its VPNs with an advisory written by Omar Santos, principal engineer of Cisco's Product Security Incident Response Team. Santos wrote that Akira ransomware threat actors were targeting Cisco VPNs that were not configured for multifactor authentication (MFA).

Though not many technical details were included, Santos said the attackers were thought to have gained VPN access through brute-forcing or purchasing stolen credentials on the dark web. Moreover, in reported attacks, logging was not configured. "This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs," Santos wrote in the advisory.

Rapid7, which Cisco credited in the Aug. 24 advisory for assisting the investigation, published research Tuesday offering additional technical insight into the attacks. In the research, Rapid7 said it had tracked ransomware attacks against Cisco Adaptive Security Appliance (ASA) SSL VPN devices since at least March. The security vendor observed adversaries conducting credential-stuffing attacks, as well as brute-force attacks against organizations without fully enforced MFA configurations.

"Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023," the vendor wrote. "Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for remote users. ASA appliance patches varied across compromised appliances -- Rapid7 did not identify any particular version that was unusually susceptible to exploitation."

Moreover, "several incidents" ended in ransomware deployment by Akira and LockBit, according to Rapid7. Akira is a newer gang first tracked in March 2023, while LockBit has been considered one of the major players in ransomware for some time.

As part of its investigation, Rapid7 said it monitored underground forums and Telegram channels for discussion about Cisco ASA-related intrusions. Its threat intelligence teams observed a "well-known" initial access broker under the alias "Bassterlord" selling a guide for breaching corporate networks. Rapid7 obtained a leaked copy of the guide and found references to Cisco SSL VPNs.

"Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test," Rapid7 said. "It's possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual's instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs."

A spokesperson for Cisco told TechTarget Editorial that ransomware groups including Akira, LockBit and Trigona are "taking advantage of VPNs across the industry that are not configured for multi-factor authentication."

"Cisco Talos is currently tracking this cluster of activity as UAT3102," the spokespersons said in an email. "Given the variety of ransomware operators observed, in addition to recurring infrastructure and overlapping TTPs, it is believed that an Initial Access Broker (IAB) is responsible for the targeting and initial access."

The spokesperson emphasized that "it’s not just Cisco VPNs that Cisco Talos is tracking activity against" but rather VPNs across multiple vendors that are not configured for MFA.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.