围攻:快速观察利用思科ASA SSL vpn

最后更新于2023年9月7日星期四14:02:21 GMT

泰勒斯塔克斯, 克里斯蒂安·发现, 罗伯特·克纳普, 扎克代顿, 凯特琳·康登对这个博客也有贡献.

Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023. 在某些情况下， adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e.，通过MFA旁路组). Several incidents our managed services teams have responded to ended in ransomware deployment by the Akira and LockBit groups.

目标组织或垂直领域之间没有明确的模式. 受害组织的规模各不相同，并跨越了医疗保健领域, 专业服务, 制造业, 还有石油和天然气, 还有其他垂直行业. We have included indicators of compromise (IOCs) and attacker behavior observations in this blog, along with practical recommendations to help organizations strengthen their 安全 posture against future attacks. Note: Rapid7没有观察到任何绕过或逃避正确配置的MFA.

在我们的调查过程中，Rapid7一直在积极与思科合作. 8月24日，思科产品安全事件响应小组(PSIRT) 发表博客 outlining attack tactics they have observed, many of which overlap with Rapid7’s observations. We thank Cisco for their collaboration and willingness to share information in service of protecting users.

观察到的攻击者行为

Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023. Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for remote users. ASA appliance patches varied across compromised appliances — Rapid7 did not identify any particular version that was unusually susceptible to exploitation.

In our analysis of these intrusions, Rapid7 identified multiple areas of overlap among observed IOCs. Windows客户端名称 WIN-R84DEUE96RB 通常与威胁行为者的基础设施以及IP地址联系在一起 176.124.201[.]200 and 162.35.92[.]242. 我们还看到了用于验证进入内部系统的帐户的重叠, 包括账户的使用 TEST, CISCO, SCANUSER, and 打印机. User domain accounts were also used to successfully authenticate to internal assets — in several cases, 日志含义攻击者第一次认证成功, 这可能表明受害者账户使用的是弱凭证或默认凭证.

The below image is an anonymized log entry where an attacker attempts a (failed) login to the Cisco ASA SSL VPN service. 在我们对不同事件响应案例的日志文件的分析中, 我们经常观察到登录尝试失败的时间间隔只有几毫秒, 哪些指向自动攻击.

在我们调查的大多数事件中, 威胁行为者试图使用一组通用用户名登录ASA设备, 包括:

• admin
• adminadmin
• backupadmin
• kali
• cisco
• guest
• 会计
• 开发人员
• ftp用户
• 培训
• test
• 打印机
• echo
• 安全
• 检查员
• 测试测试
• snmp

The above is a fairly standard list of accounts that may point at use of a brute forcing tool. 在某些情况下，尝试登录的用户名属于实际的域用户. 但我们没有确切的证据证明受害者身份被泄露, we are aware that it’s possible to attempt to brute force a Cisco ASA service with the path + CSCOE + /登录.htm. VPN group names are also visible in the source code of the VPN endpoint login page and can be easily extracted, 哪些可以帮助暴力攻击.

对内部资产进行成功身份验证后，将部署威胁参与者 set.bat. 执行 set.bat 导致远程桌面应用程序AnyDesk的安装和执行, 的密码 greenday # @!. 在某些情况下， nd.exe 是否在转储系统上执行 NTDS.DIT, 以及SAM和SYSTEM蜂巢, 这可能使攻击者能够访问额外的域用户凭据. The threat actors performed further lateral movement and binary executions across other systems within target environments to increase the scope of compromise. 如前所述, several of the intrusions culminated in the deployment and execution of Akira or LockBit-related ransomware binaries.

暗网活动

同时对基于asa的入侵进行事件响应调查, Rapid7 threat intelligence teams have been monitoring underground forums and Telegram channels for threat actor discussion about these types of attacks. 2023年2月, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for $10,000 USD.

当其他几个论坛开始泄露指南的信息时, Bassterlord posted on Twitter about shifting to a content rental model rather than selling the guide wholesale:

Rapid7获得了一份泄露的手册副本，并分析了其内容. 值得注意的是, 作者声称他们已经妥协了,865 Cisco SSL VPN业务和9,870用户名密码组合的Fortinet VPN业务 测试:测试. 有可能, 考虑到暗网讨论的时机以及我们观察到的威胁活动的增加, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.

妥协指标

Rapid7 identified the following IP addresses associated with source authentication events to compromised internal assets, 以及AnyDesk的出站连接:

• 161.35.92.242
• 173.208.205.10
• 185.157.162.21
• 185.193.64.226
• 149.93.239.176
• 158.255.215.236
• 95.181.150.173
• 94.232.44.118
• 194.28.112.157
• 5.61.43.231
• 5.183.253.129
• 45.80.107.220
• 193.233.230.161
• 149.57.12.131
• 149.57.15.181
• 193.233.228.183
• 45.66.209.122
• 95.181.148.101
• 193.233.228.86
• 176.124.201.200
• 162.35.92.242
• 144.217.86.109

其他被观察到进行暴力破解尝试的IP地址:

• 31.184.236.63
• 31.184.236.71
• 31.184.236.79
• 194.28.112.149
• 62.233.50.19
• 194.28.112.156
• 45.227.255.51
• 185.92.72.135
• 80.66.66.175
• 62.233.50.11
• 62.233.50.13
• 194.28.115.124
• 62.233.50.81
• 152.89.196.185
• 91.240.118.9
• 185.81.68.45
• 152.89.196.186
• 185.81.68.46
• 185.81.68.74
• 62.233.50.25
• 62.233.50.17
• 62.233.50.23
• 62.233.50.101
• 62.233.50.102
• 62.233.50.95
• 62.233.50.103
• 92.255.57.202
• 91.240.118.5
• 91.240.118.8
• 91.240.118.7
• 91.240.118.4
• 161.35.92.242
• 45.227.252.237
• 147.78.47.245
• 46.161.27.123
• 94.232.43.143
• 94.232.43.250
• 80.66.76.18
• 94.232.42.109
• 179.60.147.152
• 185.81.68.197
• 185.81.68.75

上述许多IP地址由以下提供商托管:

• 长威科技有限公司. 有限的
• Flyservers年代.A.
• Xhost互联网解决方案有限公司
• NFOrce娱乐B.V.
• VDSina托管

基于指标:

• 尝试使用无效的用户名和密码组合登录(%ASA-6-113015)
• 针对意外配置文件/ tg创建(尝试)RAVPN会话(%ASA-4-113019), % asa - 4 - 722041, % asa - 7 - 734003)

缓解指导

As Rapid7的年中威胁评估 noted, 几乎占所有事故的40% our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or 虚拟桌面基础架构. 这些事件表明，使用弱凭证或默认凭证仍然很常见, and that credentials in general are often not protected as a result of lax MFA enforcement in corporate networks.

To mitigate the risk of the attacker behavior outlined in this blog, organizations should:

• 确保默认帐户已禁用或密码已从默认重置.
• Ensure MFA is enforced across all VPN users, limiting exceptions to this policy as much as possible.
• 启用vpn登录:思科有专门针对ASA的相关信息 here，以及从ASA设备中收集法医证据的指导 here.
• Monitor VPN logs for authentication attempts occurring outside expected locations of employees.
• 监控VPN认证失败的日志, 寻找暴力破解和密码喷洒模式.
• 作为最佳实践, 随时更新vpn安全问题的补丁, 虚拟桌面基础架构, 以及其他网关设备.

Rapid7 is monitoring MDR customers for anomalous authentication events and signs of brute forcing and password spraying. 适用于insighttidr和MDR客户, the following non-exhaustive list of detection rules are deployed and alerting on activity related to the attack patterns in this blog:

• 攻击者技术- NTDS文件访问
• 攻击工具-冲击横向移动
• 由SoftPerfect网络扫描器生成的进程
• 从ProgramData的根执行

各种消息来源最近 发表作品 noting that ransomware groups appear to be targeting Cisco VPNs to gain access to corporate networks. Rapid7 strongly recommends reviewing the IOCs and related information in this blog and in 思科的PSIRT博客 并采取措施加强VPN实施的安全态势.

更新

9月6日，思科 发表咨询意见 cve - 2023 - 20269, an unauthorized access vulnerability affecting ASA and Firepower Threat Defense remote access VPNs. 根据建议, CVE-2023-20269是由于认证分离不当造成的, 授权, and 会计 (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. 成功利用可能允许未经身份验证的, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, 远程攻击者与未授权用户建立无客户端SSL VPN会话.

CVE-2023-20269 is being exploited in the wild and is related to some of the behavior Rapid7 has observed and outlined in this blog. 思科ASA和FTD的软件更新正在等待中. 与此同时，思科在其网站上提供了解决方案和其他信息 咨询.