Attackers are actively targeting Cisco ASA VPNs. Here's what you need to know.
Cisco announced that a previously unknown vulnerability was being exploited by ransomware groups against Cisco VPNs. There is not yet a security patch for the vulnerability; however, multi-factor authentication (MFA) is effective at mitigating these attacks. There is not yet a security patch but Cisco has recommended some workarounds in the interim.
Corvus Insurance has become aware that threat actors are targeting Cisco ASA SSL-VPN devices. These attacks are resulting in enterprise-wide ransomware such as Akira and LockBit. We recommend organizations using Cisco VPNs immediately enforce multi-factor authentication (MFA) for all user accounts on the VPN device.
Attackers are using credential stuffing attacks leveraging weak or default passwords or are employing brute-force tactics against devices without MFA or where MFA was not enabled on every account. These attacks don’t appear to be targeting any particular industries and seem to be purely opportunistic.
Next steps for Cisco customers:
- Ensure MFA is enabled on every VPN account.
- Enforce strict password policies including length and complexity requirements.
- Check Cisco documentation for workarounds until a security patch is released.