Hackers Targeting Cisco ASA SSL VPNs
3 min. read
Updated on
Share this article
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Hackers have recently been targeting Cisco ASA SSL VPNs in a series of different types of attacks.
The methods they’ve used include credential stuffing and brute force attacks.
Cisco ASA SSL VPNs targeted
According to new information, threat actors have started targeting Cisco VPNs in March 2023.
Since then, they’ve been trying to guess the passwords of the devices through brute force attacks.
Between March 30 and August 24, hackers have managed to breach into devices belonging to 11 customers. In most cases, they tried to log in using common usernames such as admin, guest, and cisco.
In several cases, they successfully logged in on the first try, suggesting that the victims used default or weak credentials.
The log entries show failed authentication attempts within milliseconds of one another, pointing out that the hackers were relying on automated tools.
All attacks share the same infrastructure and IP addresses. Hackers conducted them from a Windows device named WIN-R84DEUE96RB.
Upon breaching, they used AnyDesk to access the victim’s networks and further compromise the systems with stolen credentials.
In some cases, they dumped NTDS.DIT as well as SAM (Security Account Manager) and SYSTEM hives, gaining access to other credentials.
This resulted in ransomware attacks through Akira and LockBit.
While there has been information that the Akira group is exploiting certain vulnerabilities in Cisco VPN software, no details have been released so far.
However, hackers have had no luck so far when it comes to bypassing properly set up multi-factor authentication (MFA).
Experts say these attacks show how serious of a problem is the lack of MFA enforcement in corporate networks.
They’ve also advised administrators and security teams to change default usernames and passwords.
This information confirms previous reports by the Product Security Incident Response Team (PSIRT) at Cisco.
PSIRT highlighted that hackers are using automated tools to conduct brute force and password-spying attacks against Cisco devices.
Cisco controls 46% of the Ethernet switch industry with 37.9% of enterprise routers across the world company from the company.
Dark web activity
Scouring the dark web shows that the famous initial access broker Bassterlord was selling a guide on breaking into corporate networks in February 2023.
The manual included a chapter on how to brute force SSL VPNs and was priced at $10,000.
When forums started leaking information from it, Bassterlord shifted to a content rental model.
A leaked copy of the manual shows that the author has previously compromised 4,865 Cisco SSL VPNs and 9,870 Fortinet VPN services.
Due to the timing, it’s possible that the manual contributed to the recent attacks on Cisco devices.
