Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.
This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user’s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.
Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.
Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.
When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.
There are two primary ways regarding how the attackers might have gained access:
Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco’s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.
To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable, logging host, and logging trap commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.
Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.
Refer to the Cisco ASA Forensics Guide for First Responders to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.
Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels