www.helpnetsecurity.com
Open in
urlscan Pro
44.242.35.164
Public Scan
URL:
https://www.helpnetsecurity.com/2023/08/31/ransomware-cisco-vpn/
Submission: On August 31 via api from TR — Scanned from DE
Submission: On August 31 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1693490564"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus * News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Zeljka Zorz, Editor-in-Chief, Help Net Security August 31, 2023 Share CISCO VPNS WITH NO MFA ENABLED HIT BY RANSOMWARE GROUPS Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances. “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday. MFA MAKES ATTACKS MORE DIFFICULT Omar Santos, a principal engineer of Cisco’s Product Security Incident Response Team (PSIRT), confirmed last week that they’ve been seeing instances where attackers seem to be targeting organizations that have not configured MFA for their VPN users. Since March, Rapid7’s incident responders have investigated eleven incidents involving Cisco ASA-related intrusions, and found that: * Compromised appliances were at different patch levels * Logs point to automated attacks (many failed login attempts occurring within milliseconds of one another) * Usernames used in those attempts – admin, kali, cisco, guest, test, security, etc. – point to brute forcing “In some cases, the usernames in login attempts belonged to actual domain users,” they added. It’s also possible that the credentials were compromised in earlier attacks and sold on the dark web. The researchers have analyzed a manual sold on underground forums by a well-known initial access broker in early 2023, who claims to have compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test. “It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs,” they pointed out. ADVICE FOR ORGANIZATIONS Both Cisco and Rapid7 have advised organizations to protect access to their VPN devices with MFA for all users and to definitely set up logging on those devices, to have more insight into what’s happening on them. “Nearly 40% of all incidents our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure,” Rapid7 researchers pointed out. The Arctic Wolf IR team noticed something similar in July 2023, after responding to multiple Akira ransomware intrusions (mostly at small to medium-sized businesses): “The majority of victim organizations did not have multi-factor authentication enabled on their VPNs.” Rapid7 also urged organizations to disable default accounts, reset default passwords, promptly patch appliances, and monitor logs for patterns in failed authentication attempts. Keeping up to date with additional tactics, techniques, and procedures (TTPs) used by attackers, as well as setting up defenses to block and/or spot them being employed, is paramount to keeping organizational assets secure. More about * Arctic Wolf Networks * brute-force * Cisco * enterprise * MFA * ransomware * Rapid7 * SMBs * VPN Share this FEATURED NEWS * Cisco VPNs with no MFA enabled hit by ransomware groups * Apple offers security researchers specialized iPhones to tinker with * The power of passive OS fingerprinting for accurate IoT device identification Webinar: The external attack surface & AI’s role in proactive security SPONSORED EBOOK: 9 WAYS TO SECURE YOUR CLOUD APP DEV PIPELINE FREE ENTRY-LEVEL CYBERSECURITY TRAINING AND CERTIFICATION EXAM GUIDE: ATTACK SURFACE MANAGEMENT (ASM) DON'T MISS CISCO VPNS WITH NO MFA ENABLED HIT BY RANSOMWARE GROUPS APPLE OFFERS SECURITY RESEARCHERS SPECIALIZED IPHONES TO TINKER WITH TROJANIZED SIGNAL, TELEGRAM APPS FOUND ON GOOGLE PLAY, SAMSUNG GALAXY STORE THE POWER OF PASSIVE OS FINGERPRINTING FOR ACCURATE IOT DEVICE IDENTIFICATION WHAT DOES OPTIMAL SOFTWARE SECURITY ANALYSIS LOOK LIKE? Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×