In recent developments, reports have surfaced regarding the Akira ransomware threat actors targeting Cisco VPNs lacking multi-factor authentication (MFA).
This vulnerability, tracked as CVE-2023-20269, can potentially allow unauthorized access to VPN connections, raising concerns about the security of remote access environments.
Cisco acknowledges these reports and the observed instances where organizations without MFA on their VPNs have been vulnerable to infiltration.
This vulnerability could severely affect organizations relying on Cisco ASA and FTD software for remote access solutions.
Implementing MFA is emphasized as a crucial security measure to mitigate the risk of unauthorized access and potential ransomware infections.
It provides an additional layer of protection, especially when threat actors attempt to gain access to VPN credentials through brute-force attacks.
Cisco has actively collaborated with Rapid7 in investigating similar attack tactics and extends gratitude to Rapid7 for their valuable cooperation.
Akira Ransomware
The Akira ransomware first came to light in March 2023, known for employing various extortion strategies and maintaining a TOR-based website for listing victims and stolen data.
Victims are directed to initiate negotiations through this site, using unique identifiers provided in ransom messages.
When targeting VPNs, attackers exploit exposed services and vulnerabilities in MFA and VPN software.
They then attempt to extract credentials, escalate privileges, and pivot within the network.
The use of tools like Living-Off-The-Land Binaries (LOLBins) and Commercial Off-The-Shelf (COTS) tools has been associated with this threat group.
Two primary access methods are highlighted: brute-forcing, involving automated attempts with username/password combinations and purchasing credentials from the dark web, which may leave no trace in VPN logs.
The absence of detailed logs in affected Cisco ASA devices has hindered a precise analysis of the attack method.
Proper logging is a vital component of cybersecurity to record events and enhance incident correlation and auditing.
For Cisco ASA users, guidance on setting up logging is provided through command-line interface (CLI) instructions.
Additionally, responders can refer to the Cisco ASA Forensics Guide for instructions on evidence collection and integrity checks.
Cisco reaffirms its commitment to monitoring and investigating these activities, pledging to keep customers informed of any new findings or information.
Source: https://cybersecuritynews.com/akira-ransomware-cisco-asa/
