Akira Ransomware Targeting VPNs without Multi-Factor Authentication

Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.

This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user’s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.

Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.

Akira Ransomware

Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.

Targeting VPN Implementations without MFA

When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities  in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.

Brute-Forcing vs. Purchasing Credentials

There are two primary ways regarding how the attackers might have gained access:

1. Brute-Forcing: We have seen evidence of brute force and password spraying attempts. This involves using automated tools to try many different combinations of usernames and passwords until the correct credentials are found. Password spraying is a type of brute-force attack in which an attacker attempts to gain unauthorized access to a large number of accounts by trying a few common passwords against many usernames. Unlike traditional brute-force attacks, where every possible password is tried for one user, password spraying focuses on trying a few passwords across many accounts, often avoiding account lockouts and detection. If the VPN configurations had more robust logging, it might be possible to see evidence of a brute-force attack, such as multiple failed login attempts. The following logs from a Cisco ASA can allow you to detect potential brute force attacks:

• Login attempts with invalid username/password (%ASA-6-113015)
  Example:
  %ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
• Remote access VPN session creation attempts for unexpected connection profiles/tunnel groups (%ASA-4-113019, %ASA-4-722041, or %ASA-7-734003)

2. Purchasing Credentials through Dark Web Market: Attackers can sometimes acquire valid credentials by purchasing them on the dark web, an encrypted part of the internet often associated with illegal activities. These credentials might be available due to previous data breaches or through other means. Acquiring credentials in this way would likely leave no trace in the VPN’s logs, as the attacker would simply log in using valid credentials.

Logging within Cisco’s ASA

Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco’s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.

To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable, logging host, and logging trap commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.

Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.

Additional Forensics Guidance for Incident Responders

Refer to the Cisco ASA Forensics Guide for First Responders to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.

Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.

---

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn