A nasty ransomware is targeting Cisco VPNs to attack businesses, according to new research. The attackers reportedly use compromised Cisco VPN accounts to breach corporate networks, steal, and eventually encrypt data. The hacker gang responsible for the Akira ransomware operation, which has been active since March 2023, appears to be focusing on Cisco VPN products to penetrate corporate networks without dropping additional backdoors or setting up persistence mechanisms that might give them away.
Security researchers from SentinelOne published research on the matter on 23 August. Their analysis indicated that the hackers used the Akira ransomware to compromise Cisco VPN solutions that don’t feature multi-factor authentication (MFA). In their report, they described how the attack worked:
The hackers started by gaining access to one of the Cisco employees’ personal Google accounts. This account had password syncing enabled, which synchronized the employee’s corporate credentials with their browser. The attacker then conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations trying to convince the victim to accept MFA push notifications. Upon successfully gaining MFA push acceptance, the attacker had access to the VPN in the context of the target user.
Once the attacker had access to the corporate network, they were able to download and exfiltrate files from Box folders associated with the compromised account and the employee’s active directory. The attacker was ultimately kicked out of the network and several attempts to re-enter were thwarted, Cisco said.
Interestingly, this attack was similar to the one carried out by the Yanluowang ransomware gang, which claimed to hack Cisco and publish a list of stolen files on its leak site earlier this month. Cisco has disclosed its side of the story in a blog post, stating that the hack did not affect its business operations and only allowed the attackers to exfiltrate gigabytes worth of non-sensitive data.
Cisco also noted that it has updated its cybersecurity products with intelligence gained from observing the threat actor’s techniques. It has also notified the relevant authorities about the incident.
SearchSecurity talked with Nick Biasini, global lead of outreach at Cisco Talos, about the incident. He explained that the attackers were using offensive cyberattack tools – or cybersecurity tools, depending on whether you are black or white hat – such as Cobalt Strike, PowerSploit and Mimikatz to gain initial access and then enrolled devices for MFA and escalated privileges to a Cisco VPN account.
Luckily, Cisco’s internal CSIRT team reacted quickly and was able to identify the threat and remove it from the company’s systems. Moreover, it was able to recover all of the inconsequential data that the hackers had tried to exfiltrate from its systems. This incident shows that businesses must take precautions against advanced persistent threats and keep their cybersecurity teams on their toes. In addition, companies should invest in MFA-protected VPNs and implement other defensive measures. This will prevent a cyberattack from becoming a costly nightmare for them