Cisco ASA SSL VPN Appliances is a type of network security device that allows remote users to access a private network over the internet securely.
These appliances are mainly used by organizations to do the following things:-
- Secure Remote Access
- Authentication
- Authorization
- Access Control
- Endpoint Security Checks
- Clientless Access
- Application Access
- Encrypted Data Transmission
- Granular Control
Since March 2023, the managed detection and response (MDR) teams of Rapid7 have noted a surge in threats to Cisco ASA SSL VPN devices, both physical and virtual.
Threat actors often exploit weak passwords or launch targeted brute-force attacks on ASA appliances lacking MFA, resulting in several incidents of Akira and LockBit groups deploying ransomware.
Brute-force Attacks on ASA Appliances
Targets span various sectors with no distinct pattern, and here below, we have mentioned the sectors:-
However, researchers at Rapid7 have confirmed that they have not seen any successful MFA bypasses when properly configured.
From March 30 to August 24, 2023, 11 Rapid7 customers faced Cisco ASA intrusions. SSL VPN-using ASA appliances were compromised, with patch variations across them; no version stood out as unusually vulnerable.
Cybersecurity analysts noted overlap in IOCs like:-
- Windows clientname WIN-R84DEUE96RB
- IPs (176.124.201[.]200, and 162.35.92[.]242)
- Accounts (TEST, CISCO, SCANUSER, PRINTER)
- Weak credentials
Here below, we have mentioned all the common usernames that threat actors use to log into ASA appliances:-
- admin
- adminadmin
- backupadmin
- kali
- cisco
- guest
- accounting
- developer
- ftp user
- training
- test
- printer
- echo
- security
- inspector
- test test
- snmp
Rapid7 monitors underground forums and Telegram for attacker discussions on ASA attacks. In Feb 2023, “Bassterlord,” a renowned initial access broker, sold a $10k corporate network access guide with SSL VPN brute forcing insights.
Moreover, the leaked manual reveals VPN hacking secrets of the threat actors, and it’s been confirmed that 4,865 Cisco and 9,870 Fortinet services were compromised.
Mitigations
Here below, we have mentioned all the mitigations offered by the security researchers:-
- Disable defaults or reset passwords for safety.
- Strongly enforce MFA for VPN users.
- Make sure to enable logging via VPNs.
- Watch VPN logs for unusual authentication locations.
- Always keep track of VPN logs for failed authentications to spot brute force and password spray.
- Stay updated with patches for VPNs, VDI, and gateway devices as a key practice.
IoCs
AnyDesk:
- 161.35.92.242
- 173.208.205.10
- 185.157.162.21
- 185.193.64.226
- 149.93.239.176
- 158.255.215.236
- 95.181.150.173
- 94.232.44.118
- 194.28.112.157
- 5.61.43.231
- 5.183.253.129
- 45.80.107.220
- 193.233.230.161
- 149.57.12.131
- 149.57.15.181
- 193.233.228.183
- 45.66.209.122
- 95.181.148.101
- 193.233.228.86
- 176.124.201.200
- 162.35.92.242
- 144.217.86.109
Other IP addresses that were observed conducting brute force attempts:
- 31.184.236.63
- 31.184.236.71
- 31.184.236.79
- 194.28.112.149
- 62.233.50.19
- 194.28.112.156
- 45.227.255.51
- 185.92.72.135
- 80.66.66.175
- 62.233.50.11
- 62.233.50.13
- 194.28.115.124
- 62.233.50.81
- 152.89.196.185
- 91.240.118.9
- 185.81.68.45
- 152.89.196.186
- 185.81.68.46
- 185.81.68.74
- 62.233.50.25
- 62.233.50.17
- 62.233.50.23
- 62.233.50.101
- 62.233.50.102
- 62.233.50.95
- 62.233.50.103
- 92.255.57.202
- 91.240.118.5
- 91.240.118.8
- 91.240.118.7
- 91.240.118.4
- 161.35.92.242
- 45.227.252.237
- 147.78.47.245
- 46.161.27.123
- 94.232.43.143
- 94.232.43.250
- 80.66.76.18
- 94.232.42.109
- 179.60.147.152
- 185.81.68.197
- 185.81.68.75
Log-based indicators:
- Login attempts with invalid username and password combinations (%ASA-6-113015)
- RAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)
Source: https://cybersecuritynews.com/hackers-attacking-cisco-vpn-appliances/
