easy-accordion-free
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.<\/p>\n
This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user\u2019s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.<\/p>\n
Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.<\/p>\n
Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.<\/p>\n
When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities \u00a0in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.<\/p>\n
There are two primary ways regarding how the attackers might have gained access:<\/p>\n
Brute-Forcing<\/strong>: We have seen evidence of brute force and password spraying attempts. This involves using automated tools to try many different combinations of usernames and passwords until the correct credentials are found. Password spraying is a type of brute-force attack in which an attacker attempts to gain unauthorized access to a large number of accounts by trying a few common passwords against many usernames. Unlike traditional brute-force attacks, where every possible password is tried for one user, password spraying focuses on trying a few passwords across many accounts, often avoiding account lockouts and detection. If the VPN configurations had more robust logging, it might be possible to see evidence of a brute-force attack, such as multiple failed login attempts. The following logs from a Cisco ASA can allow you to detect potential brute force attacks:<\/p>\n Login attempts with invalid username\/password (%ASA-6-113015<\/a>) Purchasing Credentials through Dark Web Market<\/strong>: Attackers can sometimes acquire valid credentials by purchasing them on the dark web, an encrypted part of the internet often associated with illegal activities. These credentials might be available due to previous data breaches or through other means. Acquiring credentials in this way would likely leave no trace in the VPN\u2019s logs, as the attacker would simply log in using valid credentials.<\/p>\n Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco\u2019s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.<\/p>\n To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable<\/strong>, logging host<\/strong>, and logging trap <\/strong>commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.<\/p>\n Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.<\/p>\n Refer to the Cisco ASA Forensics Guide for First Responders<\/a> to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.<\/p>\n Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.<\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n Cisco Secure Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong> \u200b<\/p>\n Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.<\/p>\n This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user\u2019s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.<\/p>\n Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.<\/p>\n Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.<\/p>\n When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities \u00a0in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.<\/p>\n There are two primary ways regarding how the attackers might have gained access:<\/p>\n Brute-Forcing<\/strong>: We have seen evidence of brute force and password spraying attempts. This involves using automated tools to try many different combinations of usernames and passwords until the correct credentials are found. Password spraying is a type of brute-force attack in which an attacker attempts to gain unauthorized access to a large number of accounts by trying a few common passwords against many usernames. Unlike traditional brute-force attacks, where every possible password is tried for one user, password spraying focuses on trying a few passwords across many accounts, often avoiding account lockouts and detection. If the VPN configurations had more robust logging, it might be possible to see evidence of a brute-force attack, such as multiple failed login attempts. The following logs from a Cisco ASA can allow you to detect potential brute force attacks: Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco\u2019s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.<\/p>\n To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable<\/strong>, logging host<\/strong>, and logging trap <\/strong>commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.<\/p>\n Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.<\/p>\n Refer to the Cisco ASA Forensics Guide for First Responders<\/a> to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.<\/p>\n Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.<\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n Cisco Secure Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n \u00a0\u00a0Cisco has observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication <\/p>\n Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.<\/p>\n This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user\u2019s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.<\/p>\n Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.<\/p>\n Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.<\/p>\n When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities \u00a0in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.<\/p>\n There are two primary ways regarding how the attackers might have gained access:<\/p>\n Brute-Forcing<\/strong>: We have seen evidence of brute force and password spraying attempts. This involves using automated tools to try many different combinations of usernames and passwords until the correct credentials are found. Password spraying is a type of brute-force attack in which an attacker attempts to gain unauthorized access to a large number of accounts by trying a few common passwords against many usernames. Unlike traditional brute-force attacks, where every possible password is tried for one user, password spraying focuses on trying a few passwords across many accounts, often avoiding account lockouts and detection. If the VPN configurations had more robust logging, it might be possible to see evidence of a brute-force attack, such as multiple failed login attempts. The following logs from a Cisco ASA can allow you to detect potential brute force attacks:<\/p>\n Login attempts with invalid username\/password (%ASA-6-113015<\/a>) Purchasing Credentials through Dark Web Market<\/strong>: Attackers can sometimes acquire valid credentials by purchasing them on the dark web, an encrypted part of the internet often associated with illegal activities. These credentials might be available due to previous data breaches or through other means. Acquiring credentials in this way would likely leave no trace in the VPN\u2019s logs, as the attacker would simply log in using valid credentials.<\/p>\n Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco\u2019s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.<\/p>\n To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable<\/strong>, logging host<\/strong>, and logging trap <\/strong>commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.<\/p>\n Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.<\/p>\n Refer to the Cisco ASA Forensics Guide for First Responders<\/a> to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.<\/p>\n Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.<\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n Cisco Secure Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong> \u200b<\/p>\n Cisco is aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and we have observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.<\/p>\n This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations. By implementing MFA, organizations can significantly reduce the risk of unauthorized access, including a potential ransomware infection. If a threat actor successfully gains unauthorized access to a user\u2019s VPN credentials, such as through brute force attacks, MFA provides an additional layer of protection to prevent the threat actors from gaining access to the VPN.<\/p>\n Cisco has been actively collaborating with Rapid7 in the investigation of similar attack tactics. Cisco would like to thank Rapid7 for their valuable collaboration.<\/p>\n Initial reports of the Akira ransomware date back to March 2023. The threat actors responsible for the Akira ransomware use different extortion strategies and operate a website on the TOR network (with a .onion domain) where they list victims and any pilfered information if the ransom demands are not met. Victims are directed to contact the attackers through this TOR-based site, using a unique identifier found in the ransom message they receive, to initiate negotiations.<\/p>\n When targeting VPNs in general, the first stage of the attack is carried out by taking advantage of exposed services or applications. The attackers often focus on the absence of or known vulnerabilities \u00a0in multi-factor authentication (MFA) and known vulnerabilities in VPN software. Once the attackers have obtained a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further movement within the network and elevate privileges if needed. The group has also been linked to using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, such as PCHunter64, or engaging in the creation of minidumps to gather further intelligence about or pivot inside the target network.<\/p>\n There are two primary ways regarding how the attackers might have gained access:<\/p>\n Brute-Forcing<\/strong>: We have seen evidence of brute force and password spraying attempts. This involves using automated tools to try many different combinations of usernames and passwords until the correct credentials are found. Password spraying is a type of brute-force attack in which an attacker attempts to gain unauthorized access to a large number of accounts by trying a few common passwords against many usernames. Unlike traditional brute-force attacks, where every possible password is tried for one user, password spraying focuses on trying a few passwords across many accounts, often avoiding account lockouts and detection. If the VPN configurations had more robust logging, it might be possible to see evidence of a brute-force attack, such as multiple failed login attempts. The following logs from a Cisco ASA can allow you to detect potential brute force attacks: Logging is a crucial part of cybersecurity that involves recording events happening within a system. In the reported attack scenarios, the logging was not configured in the affected Cisco\u2019s ASAs. This has made it challenging to determine precisely how the Akira ransomware attackers were able to access the VPNs. The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method.<\/p>\n To set up logging on a Cisco ASA you can easily access the command-line interface (CLI) and use the logging enable<\/strong>, logging host<\/strong>, and logging trap <\/strong>commands to specify the logging server, severity levels, and other parameters. Sending logging data to a remote syslog server is recommended. This enables improved correlation and auditing of network and security incidents across various network devices.<\/p>\n Refer to the Guide to Secure the Cisco ASA Firewall to get detailed information about best practices to configure logging and secure a Cisco ASA.<\/p>\n Refer to the Cisco ASA Forensics Guide for First Responders<\/a> to obtain instructions on how to collect evidence from Cisco ASA devices. The document lists different commands that can be executed to assemble evidence for a probe, along with the corresponding output that needs to be captured when these commands are run. In addition, the document explains how to conduct integrity checks on the system images of Cisco ASA devices and details a method for gathering a core file or memory dump from such a device.<\/p>\n Cisco will remain vigilant in monitoring and investigating these activities and will update customers with any new findings or information.<\/p>\n We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n Cisco Secure Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n \u00a0\u00a0Cisco has observed instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication <\/p>\n","protected":false},"author":0,"featured_media":942,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco-learning"],"yoast_head":"\n
\nExample:
\n%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
\nRemote access VPN session creation attempts for unexpected connection profiles\/tunnel groups (%ASA-4-113019<\/a>, %ASA-4-722041<\/a>, or %ASA-7-734003<\/a>)<\/p>\nLogging within Cisco\u2019s ASA<\/span><\/strong><\/h2>\n
Additional Forensics Guidance for Incident Responders<\/span><\/strong><\/h2>\n
\nFacebook<\/a><\/strong>
\nTwitter<\/a><\/strong>
\nLinkedIn<\/a><\/strong><\/p>\nAkira Ransomware<\/strong><\/h2>\n
Targeting VPN Implementations without MFA<\/strong><\/h2>\n
Brute-Forcing vs. Purchasing Credentials<\/strong><\/h2>\n
\nLogin attempts with invalid username\/password (%ASA-6-113015<\/a>)
\nExample:
\n%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
\nRemote access VPN session creation attempts for unexpected connection profiles\/tunnel groups (%ASA-4-113019<\/a>, %ASA-4-722041<\/a>, or %ASA-7-734003<\/a>)
\nPurchasing Credentials through Dark Web Market<\/strong>: Attackers can sometimes acquire valid credentials by purchasing them on the dark web, an encrypted part of the internet often associated with illegal activities. These credentials might be available due to previous data breaches or through other means. Acquiring credentials in this way would likely leave no trace in the VPN\u2019s logs, as the attacker would simply log in using valid credentials.<\/p>\nLogging within Cisco\u2019s ASA<\/strong><\/h2>\n
Additional Forensics Guidance for Incident Responders<\/strong><\/h2>\n
\nfor their VPN users. This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations.\u00a0\u00a0Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>","protected":false},"excerpt":{"rendered":"Akira Ransomware<\/span><\/strong><\/h2>\n
Targeting VPN Implementations without MFA<\/strong><\/span><\/h2>\n
Brute-Forcing vs. Purchasing Credentials<\/span><\/strong><\/h2>\n
\nExample:
\n%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
\nRemote access VPN session creation attempts for unexpected connection profiles\/tunnel groups (%ASA-4-113019<\/a>, %ASA-4-722041<\/a>, or %ASA-7-734003<\/a>)<\/p>\nLogging within Cisco\u2019s ASA<\/span><\/strong><\/h2>\n
Additional Forensics Guidance for Incident Responders<\/span><\/strong><\/h2>\n
\nFacebook<\/a><\/strong>
\nTwitter<\/a><\/strong>
\nLinkedIn<\/a><\/strong><\/p>\nAkira Ransomware<\/strong><\/h2>\n
Targeting VPN Implementations without MFA<\/strong><\/h2>\n
Brute-Forcing vs. Purchasing Credentials<\/strong><\/h2>\n
\nLogin attempts with invalid username\/password (%ASA-6-113015<\/a>)
\nExample:
\n%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx
\nRemote access VPN session creation attempts for unexpected connection profiles\/tunnel groups (%ASA-4-113019<\/a>, %ASA-4-722041<\/a>, or %ASA-7-734003<\/a>)
\nPurchasing Credentials through Dark Web Market<\/strong>: Attackers can sometimes acquire valid credentials by purchasing them on the dark web, an encrypted part of the internet often associated with illegal activities. These credentials might be available due to previous data breaches or through other means. Acquiring credentials in this way would likely leave no trace in the VPN\u2019s logs, as the attacker would simply log in using valid credentials.<\/p>\nLogging within Cisco\u2019s ASA<\/strong><\/h2>\n
Additional Forensics Guidance for Incident Responders<\/strong><\/h2>\n
\nfor their VPN users. This highlights the importance of enabling multi-factor authentication (MFA) in VPN implementations.\u00a0\u00a0Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>\n