Arctic Wolf has been tracking multiple intrusions where Cisco VPN account credentials were harnessed by Akira ransomware for initial access. In a recent Cisco PSIRT advisory, Cisco stated they were aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations. Our case data supports the observation that affected accounts did not have MFA enabled.
Akira ransomware is a relatively new variant, having emerged in March 2023, and some of the threat actors using the variant have been linked to the now defunct Conti ransomware. In contrast with other ransomware variants, a large portion of the victimology were focused on small to medium-sized businesses, demonstrating the opportunistic nature of threat activity associated with this variant.
Although we are not able to determine how the threat actors obtained the compromised Cisco VPN credentials, compiled lists of compromised credentials are frequently made available for purchase on the dark web. It is also possible that threat actors are using brute force attacks against Cisco VPN appliances. For these reasons it is important to have multi-factor authentication enabled to protect against these types of threats.
For any organizations using Cisco VPN products, Arctic Wolf strongly recommends enabling multi-factor authentication against all VPN accounts to protect against these types of attacks. Weak passwords present an opportunity for ransomware groups to gain initial access to corporate environments, potentially allowing for further privilege escalation and lateral movement once access is gained.
Arctic Wolf has MDR detections in place to identify brute force attacks against Cisco ASA appliances hosting VPN services, and various other actions typically performed by ransomware threat actors.
Additionally, Arctic Wolf supports an integration with Cisco ASA VPN logs to monitor these logs for malicious activity. Customers can configure this integration by following our guide here: https://docs.arcticwolf.com/syslog/cisco_syslog.html