What Happened?
Rapid7 has reported active exploitation of Cisco ASA SSL VPNs. This is not the result of a new CVE or vulnerability, but rather an observable increase in successful password spraying attacks against these services. Cisco has stated in their own blog that they are “aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.”.
How Bad is This?
In most cases, a VPN will give the authenticated user access to an organization’s internal network and infrastructure. This makes this a serious event; especially considering the attack itself is likely automated. It requires low effort by the threat actor with potential for high returns. Successful unauthorized authentication will also provide the threat actor with valid credentials to use once they get connected to the VPN, meaning they could potentially move laterally within the network.
Sample ASA logs containing IP addresses called out by Rapid7. This activity was over a one month period (Aug 1-31).
What Should I Do?
Due to the nature of password spraying and brute forcing, there is no patch to apply. The best thing to do in response is to begin applying secure, best practices:
- Enable MFA for accounts with SSL VPN access.
- Enforce strong password requirements and do not allow the use of default credentials.
- Limit SSL VPN access to a specific group of users.
- Audit existing SSL VPN permissions and remove users and groups without a business need for VPN access.
- Enable logging of VPN events. Specific details can be found in the Cisco blog post.
- Ensure that Logging Filters for Syslog Server are configured to send “Severity: Informational”
- It is also important to disable “Hide username if its validity cannot be determined” on your Cisco ASA device.
- This can be found in the ASDM GUI under Device Management -> Logging -> Syslog Setup: “Hide username if its validity cannot be determined”
- Alternatively, you can use the command: no logging hide username
- Monitor logs as detailed in the section below.
How To Detect
- Monitor VPN logs for high volumes of failed authentications, especially where the username is generic like “admin”, “guest”, “test”, “printer”, etc.
- Rapid7 has documented a number of IP addresses associated with this activity. Blumira is constantly updating our dynamic blocklists with newly identified IP addresses.
- Cisco has documented logcodes to monitor:
- Login attempts with invalid username and password combinations (%ASA-6-113015)
- RAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)
- Blumira already has a detection in place titled, “ASA WebVPN Anomalous Access Attempts” will detect this activity.
- There are two Blumira Global reports you can use to monitor this as well:
- Cisco ASA: AAA Authentication Failure Events
- Tracks ASA-6-113015 logcode.
- Cisco ASA: RAVPN Session Creation Attempts
- Tracks ASA-4-113019, ASA-4-722041, and ASA-7-734003 logcodes.
References:
Akira Ransomware Targeting VPNs without Multi-Factor Authentication | CISCO
Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs | Rapid7