Administrators of VMware and certain devices from Cisco Systems are being warned to install patches as soon as possible to close serious vulnerabilities.
Multiple vulnerabilities in VMware’s Aria Operations for Networks have been discovered, with patches issued earlier this week. Meanwhile, researchers at Rapid7 this week issued a detailed report on the vulnerabilities in the physical and virtual versions of Cisco’s ASA SSL VPN appliances being targeted by those deploying the Akira ransomware. This was reported on last week in a Cyber Security Today podcast.
VMware said the most serious problem (CVE-2023-34039) in Aria Operations for Networks is that it contains an authentication bypass vulnerability because of a lack of unique cryptographic key generation. A malicious actor with network access to the application could bypass SSH authentication to gain access to the Aria Operations for Networks interface. It gives the hole a CVSSv3 base score of 9.8.
The second vulnerability (CVE-2023-20890), rated at 7.2, is an arbitrary file write bug. An authenticated malicious actor with administrative access to Aria Operations for Networks can write files to arbitrary locations, resulting in remote code execution.
Rapid7 said its researchers detected increased attempts at getting into Cisco ASA SSL VPN appliances going back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords, the report says. In others, the activity appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users in a group. Several incidents ended in ransomware deployment by the Akira and LockBit groups.
Rapid7 identified at least 11 of its customers who experienced Cisco ASA-related intrusions between March 30 and August 24.
Tip for infosec pros and security awareness trainers: In most of the incidents Rapid7 investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:
- admin
- adminadmin
- backupadmin
- kali
- cisco
- guest
- accounting
- developer
- ftp user
- training
- printer
- echo
- security
- inspector
- test test
- snmp.
Here’s another interesting nugget from the report: In February, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for US$10,000. When several other forums started leaking information from the guide, Bassterlord also offered to rent access to the guide for as little as US$300 for one month.
Rapid7 obtained a leaked copy of the manual, which includes the claim that the author had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.
“It’s possible,” the report says, “that given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”
