Rapid7 security researchers have warned that hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in brute-force attacks. The attacks exploit lapses in security defenses, such as not enforcing multi-factor authentication (MFA).
According to Rapid7 security researchers, attackers have been targeting Cisco ASA SSL VPNs since March of this year. They have yet to detect any instances where the threat actors behind these attacks have circumvented properly configured MFA to breach Cisco VPNs.
The attacks typically involve using automated tools to try a large number of passwords to guess the targets’ login credentials. The attackers often use common usernames, such as “admin”, “guest”, and “kali”, as well as IP addresses associated with known threat actors.
Once the attackers gain access to a Cisco ASA SSL VPN, they can use it to remotely access the victim’s network and steal data or install malware. Cisco PSIRT’s Principal Engineer, Omar Santos, acknowledged the complexities arising due to improperly configured logging in affected Cisco ASAs, emphasizing the challenge in determining the attackers’ methods.
Security experts recommend that organizations use MFA to protect their Cisco ASA SSL VPNs. They should also disable default accounts and passwords and enable logging on all VPNs to help with attack analysis.
The sources for this piece include an article in BleepingComputer.