Cisco VPNs without MFA are under attack by ransomware operator

The Cisco Product Security Incident Response Team (PSIRT) has posted a blog about Akira ransomware targeting VPNs without Multi-Factor Authentication (MFA).

The Cisco team states that it is aware of reports of the Akira ransomware group going specifically after Cisco VPNs that are not configured for MFA. And they have observed instances where cybercriminals appear to be targeting organizations that do not configure MFA for their VPN users.

One of the reports the team may be aware of was tweeted weeks ago by security researcher and incident responder Aura:

I’m just gonna go ahead and say it. If you have:
Cisco VPN
No MFA for it
You may get a surprise knock from #Akira #Ransomware soon.

Cisco VPN solutions are widely used to provide secure, encrypted data transmission between users and corporate networks, often used by remote employees. Gaining access could allow attackers to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed.

What the researchers haven’t been able to determine is how the ransomware operators gained access to Cisco VPN’s account login credentials in the first place, also hindered by the fact that Cisco ASA (Adaptive Security Appliance) doesn’t feature a logging function for successful logins. Only login attempts with invalid username/password combinations can be found in the logs if logging is configured in the affected Cisco’s ASAs.

It is possible that the criminals acquired valid credentials by purchasing them on the dark web, that they are using a zero-day exploit, or that they are using brute-force or credential stuffing attacks. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from already-breached data dumps. In a brute force attack, attackers typically try a lot of common passwords, or a few common passwords across many usernames which is called password spraying. Password spraying focuses on trying a few passwords across many accounts, often to avoid account lockouts and detection.

Cisco says it has seen evidence of brute force and password spraying attempts. Other researchers say they have found evidence of Akira using Cisco VPN gateways in leaked data posted on the group’s extortion page and seem to be leaning towards the vulnerability scenario.

Whichever way was used to gain access, it has become even more apparent that adding MFA is an important factor in fighting off these attacks.