Security News > 2023 > August > Cisco VPNs with no MFA enabled hit by ransomware groups

Since March 2023, affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances.

"In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we've observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication was either not enabled or was not enforced for all users," Rapid7 researchers said on Tuesday.

Omar Santos, a principal engineer of Cisco's Product Security Incident Response Team, confirmed last week that they've been seeing instances where attackers seem to be targeting organizations that have not configured MFA for their VPN users.

Both Cisco and Rapid7 have advised organizations to protect access to their VPN devices with MFA for all users and to definitely set up logging on those devices, to have more insight into what's happening on them.

"Nearly 40% of all incidents our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure," Rapid7 researchers pointed out.

The Arctic Wolf IR team noticed something similar in July 2023, after responding to multiple Akira ransomware intrusions: "The majority of victim organizations did not have multi-factor authentication enabled on their VPNs.".

News URL

https://www.helpnetsecurity.com/2023/08/31/ransomware-cisco-vpn/