cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2133
Views
4
Helpful
3
Replies

Cisco VPN ransomware Akira

secureB00T
Level 1
Level 1

Has anyone been updated or made aware of the Akira ransomware that is found to target VPN clients, and more specifically, Cisco VPN?  Supposedly Akira was first noticed abusing VPN clients back in May, but was wondering if this is related to this advisory (https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ac-csc-privesc-wx4U4Kw.html)

If anyone has any information so we can share with the community or at least spread the information, please share:

  • what software and versions are affected? 
  • is this just for VPN clients for end users?
  • Is it for all VPN clients (not just Cisco)?

Supposedly it is taking advantage of VPN clients without a MFA solution in place, which stresses the importance of MFA.  

Thanks in advance. 

3 Replies 3

mil
Level 1
Level 1

Hello @secureB00T 

Tried to analyze this problem a little more. the akira group has attacked officially about 89 companies so far

here is a list of affected companies parsed per country

Argentina 1 Australia 1 Bangladesh 1 Canada 6 India 1 Nicaragua 1 Portugal 1 Saudi Arabia 1 South Africa 1 Sweden 1 Switzerland 1 UK 3 USA 70

  1.  of those 89 companies there is 80 urls with vpn.* which can be found using various available tools
  2. it is also possible to detect different user groups
  3. many vpn domains are now off (probably due to attacks or firewalls) but there are some that are still on and do not have geo location protection and even after  attacks are available for access from anywhere.
  4. all available vpn belong to Cisco ASA SSL VPN
  5. Tried to login with a fake account and the time block does not exist after some time and entering an incorrect name.
  6. Many employees were mentioned in various breached dbs, which opens up the possibility of brute force and password reuse
  7. ....etc

secureB00T
Level 1
Level 1

So the best option is to turn off VPN altogether?  From my understanding, as long as there's MFA, access should be audited and monitored, also enabling firewall whitelisting and geo location blocking.  I can see why if there's single factor authentication, one might turn it off as there's no way to check for brute force attacks.  or is there?

If you don't mind me asking, what tools or resources did you use to verify that domains have their VPNs off now?