Aug 22, 2023 - Akira ransomware targets Cisco VPNs to breach organizations
Aug 30, 2023 - Hacking campaign bruteforces Cisco VPNs to breach networks
Sep 8, 2023 - Cisco warns of VPN zero-day exploited by ransomware gangs
Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.
The vulnerability allows two possible scenarios:
1. an unauthenticated, remote attacker conducting a brute force attack to identify valid username and password combinations for unauthorized remote access VPN sessions,
2. or an authenticated, remote attacker establishing a clientless SSL VPN session with an unauthorized user (only applicable on Cisco ASA Software Release 9.16 or earlier).
Cisco has yet to address CVE-2023-20269, waiting for a fix the company recommends:
1. Use dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used.
2. Deny Remote Access VPN Using the Default Group Policy (DfltGrpPolicy). When the DfltGrpPolicy is not expected to be used for remote access VPN policy assignment, administrators can prevent remote access VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups by setting the vpn-simultaneous-logins option for the DfltGrpPolicy to zero.
3. Restrict Users in the LOCAL User Database.
4. Lock Users to a Specific Connection Profile/Tunnel Group Only
5. Prevent Users from Establishing Remote Access VPN Sessions
SOC check log on SIEM:
Login attempts with invalid username/password (%ASA-6-113015)
%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
Remote access VPN session creation attempts for unexpected connection profiles/tunnel groups (%ASA-4-113019, %ASA-4-722041, or %ASA-7-734003)
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC