TekStream Security Bulletin: Akira on Cisco Adaptive Security Appliance (ASA) VPN

By Bryan Bollou, Team Lead, CyberSecurity Engineering

Purpose of TekStream Security Bulletins

With the TekStream Security Bulletin, we are presenting some specific detection use cases using everyone’s favorite SIEM, Splunk. We’ve cherry-picked vulnerabilities that are not only intriguing but also directly impactful for our valued clients. These vulnerabilities were chosen based on a multitude of factors, ranging from the technology in the crosshairs to the specific sectors being targeted. This is not a blog post to fully explain or give recommendations on remediating the vulnerability – this has been discussed at length by various resources. The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit these vulnerabilities. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the vulnerability being exploited. Here at TekStream, we have an amazing team of cybersecurity engineers armed with a deep knowledge of logs and the secrets they hold, ready to fortify your cyber resiliency.

Introduction

Starting from early April 2023, there have been documented instances of intrusions related to Cisco Adaptive Security Appliance (ASA) Virtual Private Networks (VPNs). In May, Sophos was the first to identify that the ransomware group “Akira” exploited default VPN accounts to infiltrate networks lacking MFA protection.

This threat primarily stems from the use of default accounts, weak credentials, and the absence of an additional authentication layer for all users. Typically, after a network intrusion, a ransomware attack follows, as researchers map Akira’s common attack pattern. Addressing this matter is crucial, given that numerous clients rely on CISCO ASA VPNs as their solution, and our utmost priority is to ensure their security.

Threat Overview

The vulnerability has been acknowledged by Cisco and they have suggested various mitigation steps to prevent its exploitation.

These steps include:

  • Disable default accounts or reset their passwords.
  • Enforce MFA for all VPN users, minimizing exceptions.
  • Enable VPN logging, following Cisco’s guidance for ASA and forensic evidence collection.
  • Monitor VPN logs for unauthorized authentication attempts.
  • Watch for failed authentications, detecting brute force or password spraying.
  • Stay up to date with security patches for VPNs, virtual desktop infrastructure, and gateway devices as a best practice.

So far, we have seen many good options and would like to present a few more specific cases using everyone’s favorite SIEM, Splunk.

This is not a blog post to fully explain or give recommendations on remediating the vulnerability, which has been discussed at length by various resources such as Rapid 7.

The goal here is to aggregate the detections to maximize your chances of detecting this critical attack. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the Cisco ASA VPNs being exploited. Here at TekStream, we have several security engineers who are intimate with cybersecurity knowledge – especially the logs of our clients.

In this blog post, we go through the various steps in Akira’s (and other APTs) Cisco ASA VPN exploitation & detection. With this format, we are providing a more generic data model “tstats” command. This is taking advantage of the data model to quickly find data that may match our IOC list. We then provide examples of a more specific search that will add context to the first find. There will be a wide variety of specific searches as each client has their own specific technologies. To get help building detection for your specific client, fill in the form below and get access to our Splunk/security expertise.

Note: The follow-up of the initial access attack is normally the deployment of various ransomware to infect a victim’s system. Detecting this part is not covered in this blog post. Reach out to TekStream by filling out the form below if you’d like specific guidance on that aspect.

The following detection steps mirror the stages and TTP-related indicators used in the attack:

  1. Connection attempts from malicious IPs to the Cisco ASA VPN
  2. Connection attempts to hit the CISCO ASA VPN URL using a parameter string often seen with brute force attacks
  3. Connection attempts to log in to the CISCO ASA VPN with often-used account names
  4. Process execution of set.bat and nd.exe files to expose more credentials and enable lateral movement of the threat actor
  5. Connection attempt to the domains of AnyDesk or RustDesk as a remote access tool for the threat actor to continue their exploitation of the victim network
  6. Connection attempts to authenticate to/from Windows machines with a specific naming convention (“WIN-*”) on a client’s user VPN network

Threat Implication

  • Environments utilizing CISCO ASA VPNs become targets of interest for Akira and various APTs seeking unauthorized access. This is especially true for environments lacking MFA enforcement during VPN logins or having MFA exceptions for specific users.
  • Most adversaries employ tactics such as brute force, password spraying, and credential stuffing to exploit weak or default passwords. Additionally, other threat actors have been observed procuring exposed credentials from illicit online markets.
  • The APTs under scrutiny include the Akira and LockBit ransomware groups. Both have been noted for concluding their attacks with the deployment of ransomware.
  • Within the attack lifecycle, Akira and LockBit have leveraged legitimate, open-source remote access tools such as RustDesk and AnyDesk to navigate within compromised environments.

Threat Detection

Step 1
The exploitation of these vulnerability CISCO ASA VPNs has been conducted by known APTs and IP addresses related to them have been captured. The first step in detecting potential exploitation attempts would be connection attempts from these malicious IPs to the Cisco ASA VPN.

Note: This CSV file listing includes all the mentioned usernames, along with other Indicators of Compromise (IOCs), conveniently consolidated for streamlined export into a lookup for notable detections.

SPL – Using the Cisco ASA Data Source:

index=cisco* sourcetype=cisco:asa eventtype=cisco_vpn* src_ip IN ("176.124.201.200","162.35.92.242","161.35.92.242","173.208.205.10","185.157.162.21","185.193.64.226","149.93.239.176","158.255.215.236","95.181.150.173","94.232.44.118","194.28.112.157","5.61.43.231","5.183.253.129","45.80.107.220","193.233.230.161","149.57.12.131","149.57.15.181","193.233.228.183","45.66.209.122","95.181.148.101","193.233.228.86","176.124.201.200","162.35.92.242","144.217.86.109","31.184.236.63","31.184.236.71","31.184.236.79","194.28.112.149","62.233.50.19","194.28.112.156","45.227.255.51","185.92.72.135","80.66.66.175","62.233.50.11","62.233.50.13","194.28.115.124","62.233.50.81","152.89.196.185","91.240.118.9","185.81.68.45","152.89.196.186","185.81.68.46","185.81.68.74","62.233.50.25","62.233.50.17","62.233.50.23","62.233.50.101","62.233.50.102","62.233.50.95","62.233.50.103","92.255.57.202","91.240.118.5","91.240.118.8","91.240.118.7","91.240.118.4","161.35.92.242","45.227.252.237","147.78.47.245","46.161.27.123","94.232.43.143","94.232.43.250","80.66.76.18","94.232.42.109","179.60.147.152","185.81.68.197","185.81.68.75") |  table _time, Cisco_ASA_action, Cisco_ASA_message_id, Cisco_ASA_user, src_ip, dest_ip, direction, signature

SPL 2 – Using Network Traffic Data Model:

| tstats `summariesonly` latest(_time) as _time, sum("All_Traffic.bytes") as bytes, values("All_Traffic.src_port") as src_port, values("All_Traffic.transport") as transport, values("All_Traffic.dest_port") as dest_port from datamodel="Network_Traffic"."All_Traffic" where All_Traffic.src IN ("176.124.201.200","162.35.92.242","161.35.92.242","173.208.205.10","185.157.162.21","185.193.64.226","149.93.239.176","158.255.215.236","95.181.150.173","94.232.44.118","194.28.112.157","5.61.43.231","5.183.253.129","45.80.107.220","193.233.230.161","149.57.12.131","149.57.15.181","193.233.228.183","45.66.209.122","95.181.148.101","193.233.228.86","176.124.201.200","162.35.92.242","144.217.86.109","31.184.236.63","31.184.236.71","31.184.236.79","194.28.112.149","62.233.50.19","194.28.112.156","45.227.255.51","185.92.72.135","80.66.66.175","62.233.50.11","62.233.50.13","194.28.115.124","62.233.50.81","152.89.196.185","91.240.118.9","185.81.68.45","152.89.196.186","185.81.68.46","185.81.68.74","62.233.50.25","62.233.50.17","62.233.50.23","62.233.50.101","62.233.50.102","62.233.50.95","62.233.50.103","92.255.57.202","91.240.118.5","91.240.118.8","91.240.118.7","91.240.118.4","161.35.92.242","45.227.252.237","147.78.47.245","46.161.27.123","94.232.43.143","94.232.43.250","80.66.76.18","94.232.42.109","179.60.147.152","185.81.68.197","185.81.68.75") OR All_Traffic.dest IN "176.124.201.200","162.35.92.242","161.35.92.242","173.208.205.10","185.157.162.21","185.193.64.226","149.93.239.176","158.255.215.236","95.181.150.173","94.232.44.118","194.28.112.157","5.61.43.231","5.183.253.129","45.80.107.220","193.233.230.161","149.57.12.131","149.57.15.181","193.233.228.183","45.66.209.122","95.181.148.101","193.233.228.86","176.124.201.200","162.35.92.242","144.217.86.109","31.184.236.63","31.184.236.71","31.184.236.79","194.28.112.149","62.233.50.19","194.28.112.156","45.227.255.51","185.92.72.135","80.66.66.175","62.233.50.11","62.233.50.13","194.28.115.124","62.233.50.81","152.89.196.185","91.240.118.9","185.81.68.45","152.89.196.186","185.81.68.46","185.81.68.74","62.233.50.25","62.233.50.17","62.233.50.23","62.233.50.101","62.233.50.102","62.233.50.95","62.233.50.103","92.255.57.202","91.240.118.5","91.240.118.8","91.240.118.7","91.240.118.4","161.35.92.242","45.227.252.237","147.78.47.245","46.161.27.123","94.232.43.143","94.232.43.250","80.66.76.18","94.232.42.109","179.60.147.152","185.81.68.197","185.81.68.75") by "All_Traffic.action", "All_Traffic.src", "All_Traffic.dest", "All_Traffic.user"| `drop_dm_object_name("All_Traffic”)| table action, src, src_port, dest, transport, dest_port, user, bytes

Step 2
As observed by multiple researchers, APTs have been seen to make connection attempts to hit the CISCO ASA VPN portals using a specific parameter suited for brute forcing. Detecting the use of this parameter could help uncover an attempt to exploit the CISCO ASA VPN.

Actions to Detect:

Attempts to hit URLs ending in the following;
+CSCOE+/logon.htm

SPL - Using Web Datamodel:
| tstats `summariesonly` sum("Web.bytes") as bytes,values("Web.http_content_type") as http_content_type,values("Web.http_method") as http_method,values("Web.http_user_agent") as http_user_agent,values("Web.status") as status from datamodel="Web"."Web" where Web.url = "*+CSCOE+/logon.htm*" by "Web.src", "Web.dest", "Web.user", "Web.url", _time | fields _time src, dest, user, url, http_content_type, http_method, http_user_agent, status, bytes 

Step 3
Many attackers utilize strategies like brute force attacks, password spraying, and credential stuffing to exploit vulnerabilities associated with weak or default passwords. Detecting connection attempts to log in to the CISCO ASA VPN with often-used account names could be evidence of attempting exploitation.

Actions to Detect:

Note: This CSV file listing includes all the mentioned usernames, along with other Indicators of Compromise (IOCs), conveniently consolidated for streamlined export into a lookup for notable detections.

SPL – Using the Cisco ASA Data Source:

index=cisco* sourcetype=cisco:asa eventtype=cisco_vpn* Cisco_ASA_user IN ("TEST","CISCO","SCANUSER","PRINTER","admin","adminadmin","backupadmin","kali","cisco","guest","accounting","developer","ftp user","training","test","printer","echo","security","inspector","test test","snmp")|  table _time, Cisco_ASA_action, Cisco_ASA_message_id, Cisco_ASA_user, src_ip, dest_ip, direction, signature

SPL 2 – Using the Authentication Data Model:

| tstats `summariesonly` latest(_time) as _time, values(Authentication.src_user_id) as src_user_id, values(Authentication.src_user_role) as src_user_role, values(Authentication.user_id) as user_id, values(Authentication.user_role) as user_role, values(Authentication.vendor_account) as vendor_account, values(Authentication.authentication_method) as authentication_method from datamodel="Authentication"."Authentication" where Authentication.src_user IN ("TEST","CISCO","SCANUSER","PRINTER","admin","adminadmin","backupadmin","kali","cisco","guest","accounting","developer","ftp user","training","test","printer","echo","security","inspector","test test","snmp") by "Authentication.action", "Authentication.app", "Authentication.src", "Authentication.src_user", "Authentication.dest", "Authentication.user"| `drop_dm_object_name("Authentication")` | fields _time, action, app, src, src_user, src_user_id, src_user_role, dest, user, user_id, user_role, vendor_account, authentication_method

Step 4
Upon successful internal authentication, threat actors deployed “set.bat,” installing and activating AnyDesk with a preset password, “greenday#@!”. They also executed “nd.exe” on some systems to access additional credentials. These actors then moved laterally and executed files on other systems, often concluding with the deployment of Akira or LockBit ransomware.

Actions to Detect:
An attempt to execute the following processes;
set.bat
nd.exe

SPL – Using the Endpoint Data Model:

| tstats `summariesonly` latest(_time) as _time, values(Processes.user) as user, values(Processes.process) as process, latest(Processes.parent_process) as parent_process, latest(Processes.parent_process_exec) as parent_process_exec, latest(Processes.parent_process_guid) as parent_process_guid, latest(Processes.parent_process_id) as parent_process_id, latest(Processes.parent_process_path) as parent_process_path, latest(Processes.process_path) as process_path, latest(Processes.process_exec) as process_exec, latest(Processes.process_guid) as process_guid, latest(Processes.process_id) as process_id, latest(Processes.process_hash) as process_hash from datamodel="Endpoint"."Processes" where Processes. process IN ("set.bat", "nd.exe") by Processes.dest, Processes.process_name, Processes.parent_process_name | fields _time, dest, user, process_name, process, process_hash, process_path, process_exec, process_id, process_guid, parent_process, parent_process_name, parent_process_path, parent_process_exec, parent_process_guid, parent_process_id

Step 5
This step involves detecting outbound connection attempts to anydesk.com and/or rustdesk.com from the client’s environment. Such software is used by the APTs as a foothold in a client’s environment for further exploitation. This is especially important for environments that have strong application policies that don’t allow unapproved applications to be installed. This detection is not as useful if either of these products is used in a client’s environment.

Actions to Detect:
Detect outbound connection attempts to the following URLs;
anydesk.com
rustdesk.com

SPL- Using the Web Data Model:

| tstats `summariesonly` sum("Web.bytes") as bytes,values("Web.http_content_type") as http_content_type,values("Web.http_method") as http_method,values("Web.http_user_agent") as http_user_agent,values("Web.status") as status from datamodel="Web"."Web" by "Web.src", "Web.dest", "Web.user", "Web.http_referrer", "Web.url", _time | `drop_dm_object_name("Web")` | where match(url, "(?i)(anydesk.com)|(rustdesk.com") | fields _time src, dest, user, http_referrer, url, http_content_type, http_method, http_user_agent, status, bytes | eval ip_pair = src . " - " . dest  | stats values(_time) as Time values(ip_pair) AS src_dest, values(user) as user, values(http_referrer) as http_referrer, values(http_user_agent) as http_user_agent, values(http_method) as http_method, values(status) as status, values(bytes) as bytes count by url 

SPL 2 – Using the Network Resolution Data Model:

| tstats `summariesonly` latest(_time) as _time  values("DNS.dest") as dest, values("DNS.query") as query, values("DNS.query_count") as query_count, values("DNS.message_type") as message_type, values("DNS.answer") as answer, values("DNS.reply_code") as reply_code from datamodel="Network_Resolution"."DNS" where DNS.query IN ("anydesk.com", "rustdesk.com") | table _time, dest, query, query_count, message_type, answer, reply_code | fieldformat Time = strftime(_time,"%m/%d/%Y %T")

Step 6
Research has shown that a pattern Akira and other APTs followed getting into a Cisco VPN was to attempt to authenticate to internal machines for lateral movement. Common source machine names and destinations have been made aware. Thus, connection attempts to authenticate to/from Windows machines with a specific naming convention (“WIN-*”) on a client’s user VPN network may be evidence of this CISCO ASA VPN exploitation.

Actions to Detect:
The following Windows Event Codes;
4626 – “An account was successfully logged on”
4625 – “An account failed to log on.”

The following machines names attempting authentication;
WIN-*
WIN-R84DEUE96RB

SPL – Using the Windows Event Log Data Source:

index=wineventlog EventCode IN ("4625","4626") ComputerName IN ("WIN-R84DEUE96RB", "WIN-*")
| table _time, name, Message, status, ComputerName, Display_Name, EventCode,

SPL 2 – Using the Authentication Data Model:

| tstats `summariesonly` latest(_time) as _time, values(Authentication.src_user_id) as src_user_id, values(Authentication.src_user_role) as src_user_role, values(Authentication.user_id) as user_id, values(Authentication.user_role) as user_role, values(Authentication.vendor_account) as vendor_account, values(Authentication.authentication_method) as authentication_method, values(Authentication.signature) as signature from datamodel="Authentication"."Authentication" where Authentication.signature IN ("4625","4626") AND "Authentication.dest" IN ("WIN-R84DEUE96RB", "WIN-*") by "Authentication.action", "Authentication.app", "Authentication.src", "Authentication.src_user", "Authentication.dest", "Authentication.user" | `drop_dm_object_name("Authentication")` | fields _time, action, app, src, src_user, src_user_id, src_user_role, dest, user, user_id, user_role, vendor_account, authentication_method

IOC List

We have aggregated a list of IOCs related to the Cisco ASA VPN exploitation. It has been presented here for you to have it consolidated in one spot and made easier to export to a lookup for notable detections.

Conclusion

Ideally, you could make scheduled searches like what is shown above with lookup tables for matching more specific and new detections. These can be set to run on a continuous schedule to ensure the monitoring of your assets from new vulnerabilities. Old vulnerabilities that have been patched (and applied) can also be aged out of this lookup table to ensure it is timely and efficient. For questions on how to build such a process that is dynamic and customizable for your environment, ask one of our consultants by filling in the form below. Also, subscribe to the TekStream blog to catch the next monthly security bulletin and apply the latest detections to protect your systems. Happy Splunking!

References

Articles referenced and used for this Blog Post:

Akira Ransomware Targets Cisco VPNs to Breach Organizations

Hacking Campaign Bruteforces VPNs to Breach Networks

Cisco ASA Ransomware Attacks

Under Seige Rapid7 Observed Exploitation of Cisco ASA SSL VPNs

Akira Ransomware Attacking VPNs Without Multi-Factor Authentication

Disclaimer

The approaches recommended herein have not been tested broadly across the TekStream customer base. They are preliminary in nature and come without any certification of efficacy.