Rapid7 observed increased threat activity targeting Cisco ASA SSL VPN appliances since March 2023, including credential stuffing and brute-force attempts, with MFA not always enabled for all users. Several intrusions culminated in ransomware deployments by the Akira and LockBit groups across multiple sectors. #CiscoASA #SSLVPN #Akira #LockBit #AnyDesk #NTDS #Bassterlord
Keypoints
- Rapid7 identified at least 11 customers with Cisco ASA‑related intrusions between March 30 and August 24, 2023.
- Threat actors used credential stuffing and brute-force attacks against ASA VPNs, often where MFA was not enabled or enforced for all users.
- Attackers commonly used weak or default credentials and standard login usernames (e.g., admin, test, cisco) to gain access.
- Post-authentication activity included deploying set.bat to install AnyDesk, followed by NTDS.DIT/SAM/SYSTEM credential dumps and broader lateral movement.
- Several intrusions culminated in Akira or LockBit ransomware deployment across victim environments.
- Dark web activity linked Bassterlord selling SSL VPN intrusion guidance; a leaked manual claimed thousands of compromised VPNs with simple credentials.
- Mitigation emphasizes MFA enforcement, disabling default accounts, enabling VPN logging, and applying relevant patches (CVE-2023-20269).
MITRE Techniques
- [T1133] External Remote Services – Targeting Cisco ASA SSL VPN appliances (physical and virtual) to gain remote access. “targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023.”
- [T1110] Brute Force – Credential stuffing and brute-force attempts on VPN logins with weak/default credentials. “adversaries have conducted credential stuffing attacks that leveraged weak or default passwords … brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users.”
- [T1078] Valid Accounts – Use of standard accounts to authenticate into internal systems; some victims authenticated on the first try. “accounts used to authenticate into internal systems … attackers successfully authenticated on the first try.”
- [T1021] Remote Services – Post-authentication use of remote access to move laterally (e.g., AnyDesk). “installation and execution of the remote desktop application AnyDesk.”
- [T1059.003] Windows Command Shell – Execution of set.bat to deploy tools (AnyDesk). “Execution of set.bat resulted in the installation and execution of the remote desktop application AnyDesk…”
- [T1003.003] NTDS – Credential dumping from Active Directory databases. “nd.exe was executed on systems to dump NTDS.DIT, as well as the SAM and SYSTEM hives.”
- [T1046] Network Service Discovery – Use of SoftPerfect Network Scanner to assist discovery. “Process Spawned By SoftPerfect Network Scanner.”
Indicators of Compromise
- [IP Address] – IPs associated with source authentication events to internal assets and outbound AnyDesk connections: 161.35.92.242, 176.124.201.200
- [Hostname] – Windows clientname observed in infrastructure: WIN-R84DEUE96RB
- [File Name] – Execution and tooling artifacts: set.bat, nd.exe, NTDS.DIT, SAM, SYSTEM, AnyDesk
- [Username] – Accounts used for login attempts: TEST, CISCO, SCANUSER, PRINTER (and other common login names)
- [Log/Event] – Log-based indicators: Login attempts with invalid username/password (%ASA-6-113015) and RAVPN session creation attempts (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)