{
	"id": "ab1bb65e-3c34-47fb-a577-81e6ef7c3db2",
	"created_at": "2026-04-06T00:15:14.36301Z",
	"updated_at": "2026-04-10T13:12:09.489872Z",
	"deleted_at": null,
	"sha1_hash": "d60039b9dff51292c5cfff2a435b1e9747cf3f17",
	"title": "Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 786314,
	"plain_text": "Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL\r\nVPNs | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2023-08-29 · Archived: 2026-04-05 13:36:38 UTC\r\nTyler Starks, Christiaan Beek, Robert Knapp, Zach Dayton, and Caitlin Condon contributed to this blog.\r\nRapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco\r\nASA SSL VPN appliances (physical and virtual) dating back to at least March 2023. In some cases, adversaries\r\nhave conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve\r\nobserved appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor\r\nauthentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups).\r\nSeveral incidents our managed services teams have responded to ended in ransomware deployment by the Akira\r\nand LockBit groups.\r\nThere is no clear pattern among target organizations or verticals. Victim organizations varied in size and spanned\r\nhealthcare, professional services, manufacturing, and oil and gas, along with other verticals. We have included\r\nindicators of compromise (IOCs) and attacker behavior observations in this blog, along with practical\r\nrecommendations to help organizations strengthen their security posture against future attacks. Note: Rapid7 has\r\nnot observed any bypasses or evasion of correctly configured MFA.\r\nRapid7 has been actively working with Cisco over the course of our investigations. On August 24, Cisco’s Product\r\nSecurity Incident Response Team (PSIRT) published a blog outlining attack tactics they have observed, many of\r\nwhich overlap with Rapid7’s observations. We thank Cisco for their collaboration and willingness to share\r\ninformation in service of protecting users.\r\nObserved attacker behavior\r\nRapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and\r\nAugust 24, 2023. Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for\r\nremote users. ASA appliance patches varied across compromised appliances — Rapid7 did not identify any\r\nparticular version that was unusually susceptible to exploitation.\r\nIn our analysis of these intrusions, Rapid7 identified multiple areas of overlap among observed IOCs. The\r\nWindows clientname WIN-R84DEUE96RB was often associated with threat actor infrastructure, along with the IP\r\naddresses 176.124.201[.]200 and 162.35.92[.]242. We also saw overlap in accounts used to authenticate into\r\ninternal systems, including the use of accounts TEST, CISCO, SCANUSER, and PRINTER. User domain\r\naccounts were also used to successfully authenticate to internal assets — in several cases, attackers successfully\r\nauthenticated on the first try, which may indicate that the victim accounts were using weak or default credentials.\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 1 of 7\n\nThe below image is an anonymized log entry where an attacker attempts a (failed) login to the Cisco ASA SSL\r\nVPN service. In our analysis of log files across different incident response cases, we frequently observed failed\r\nlogin attempts occurring within milliseconds of one another, which points at automated attacks.\r\nIn most of the incidents we investigated, threat actors attempted to log into ASA appliances with a common set of\r\nusernames, including:\r\nadmin\r\nadminadmin\r\nbackupadmin\r\nkali\r\ncisco\r\nguest\r\naccounting\r\ndeveloper\r\nftp user\r\ntraining\r\ntest\r\nprinter\r\necho\r\nsecurity\r\ninspector\r\ntest test\r\nsnmp\r\nThe above is a fairly standard list of accounts that may point at use of a brute forcing tool. In some cases, the\r\nusernames in login attempts belonged to actual domain users. While we have no specific evidence of leaked\r\nvictim credentials, we are aware that it’s possible to attempt to brute force a Cisco ASA service with the path\r\n+CSCOE+/logon.htm. VPN group names are also visible in the source code of the VPN endpoint login page and\r\ncan be easily extracted, which can aid brute forcing attacks.\r\nUpon successful authentication to internal assets, threat actors deployed set.bat. Execution of set.bat resulted in\r\nthe installation and execution of the remote desktop application AnyDesk, with a set password of greenday#@!. In\r\nsome cases, nd.exe was executed on systems to dump NTDS.DIT, as well as the SAM and SYSTEM hives, which\r\nmay have given the adversary access to additional domain user credentials. The threat actors performed further\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 2 of 7\n\nlateral movement and binary executions across other systems within target environments to increase the scope of\r\ncompromise. As mentioned previously, several of the intrusions culminated in the deployment and execution of\r\nAkira or LockBit-related ransomware binaries.\r\nDark web activity\r\nIn parallel with incident response investigations into ASA-based intrusions, Rapid7 threat intelligence teams have\r\nbeen monitoring underground forums and Telegram channels for threat actor discussion about these types of\r\nattacks. In February 2023, a well-known initial access broker called “Bassterlord” was observed in XSS forums\r\nselling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute\r\nforcing, was being sold for $10,000 USD.\r\nWhen several other forums started leaking information from the guide, Bassterlord posted on Twitter about\r\nshifting to a content rental model rather than selling the guide wholesale:\r\nRapid7 obtained a leaked copy of the manual and analyzed its content. Notably, the author claimed they had\r\ncompromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password\r\ncombination test:test. It’s possible that, given the timing of the dark web discussion and the increased threat\r\nactivity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA\r\nVPNs.\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 3 of 7\n\nIndicators of compromise\r\nRapid7 identified the following IP addresses associated with source authentication events to compromised internal\r\nassets, as well as outbound connections from AnyDesk:\r\n161.35.92.242\r\n173.208.205.10\r\n185.157.162.21\r\n185.193.64.226\r\n149.93.239.176\r\n158.255.215.236\r\n95.181.150.173\r\n94.232.44.118\r\n194.28.112.157\r\n5.61.43.231\r\n5.183.253.129\r\n45.80.107.220\r\n193.233.230.161\r\n149.57.12.131\r\n149.57.15.181\r\n193.233.228.183\r\n45.66.209.122\r\n95.181.148.101\r\n193.233.228.86\r\n176.124.201.200\r\n162.35.92.242\r\n144.217.86.109\r\nOther IP addresses that were observed conducting brute force attempts:\r\n31.184.236.63\r\n31.184.236.71\r\n31.184.236.79\r\n194.28.112.149\r\n62.233.50.19\r\n194.28.112.156\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 4 of 7\n\n45.227.255.51\r\n185.92.72.135\r\n80.66.66.175\r\n62.233.50.11\r\n62.233.50.13\r\n194.28.115.124\r\n62.233.50.81\r\n152.89.196.185\r\n91.240.118.9\r\n185.81.68.45\r\n152.89.196.186\r\n185.81.68.46\r\n185.81.68.74\r\n62.233.50.25\r\n62.233.50.17\r\n62.233.50.23\r\n62.233.50.101\r\n62.233.50.102\r\n62.233.50.95\r\n62.233.50.103\r\n92.255.57.202\r\n91.240.118.5\r\n91.240.118.8\r\n91.240.118.7\r\n91.240.118.4\r\n161.35.92.242\r\n45.227.252.237\r\n147.78.47.245\r\n46.161.27.123\r\n94.232.43.143\r\n94.232.43.250\r\n80.66.76.18\r\n94.232.42.109\r\n179.60.147.152\r\n185.81.68.197\r\n185.81.68.75\r\nMany of the IP addresses above were hosted by the following providers:\r\nChang Way Technologies Co. Limited\r\nFlyservers S.A.\r\nXhost Internet Solutions Lp\r\nNFOrce Entertainment B.V.\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 5 of 7\n\nVDSina Hosting\r\nLog-based indicators:\r\nLogin attempts with invalid username and password combinations (%ASA-6-113015)\r\nRAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041,\r\n%ASA-7-734003)\r\nMitigation guidance\r\nAs Rapid7’s mid-year threat review noted, nearly 40% of all incidents our managed services teams responded to\r\nin the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure. These incidents\r\nreinforce that use of weak or default credentials remains common, and that credentials in general are often not\r\nprotected as a result of lax MFA enforcement in corporate networks.\r\nTo mitigate the risk of the attacker behavior outlined in this blog, organizations should:\r\nEnsure default accounts have been disabled or passwords have been reset from the default.\r\nEnsure MFA is enforced across all VPN users, limiting exceptions to this policy as much as possible.\r\nEnable logging on VPNs: Cisco has information on doing this for ASA specifically here, along with\r\nguidance on collecting forensic evidence from ASA devices here.\r\nMonitor VPN logs for authentication attempts occurring outside expected locations of employees.\r\nMonitor VPN logs for failed authentications, looking for brute forcing and password spraying patterns.\r\nAs a best practice, keep current on patches for security issues in VPNs, virtual desktop infrastructure, and\r\nother gateway devices.\r\nRapid7 is monitoring MDR customers for anomalous authentication events and signs of brute forcing and\r\npassword spraying. For InsightIDR and MDR customers, the following non-exhaustive list of detection rules are\r\ndeployed and alerting on activity related to the attack patterns in this blog:\r\nAttacker Technique - NTDS File Access\r\nAttacker Tool - Impacket Lateral Movement\r\nProcess Spawned By SoftPerfect Network Scanner\r\nExecution From Root of ProgramData\r\nVarious sources have recently published pieces noting that ransomware groups appear to be targeting Cisco VPNs\r\nto gain access to corporate networks. Rapid7 strongly recommends reviewing the IOCs and related information in\r\nthis blog and in Cisco’s PSIRT blog and taking action to strengthen security posture for VPN implementations.\r\nUpdates\r\nOn September 6, Cisco published an advisory on CVE-2023-20269, an unauthorized access vulnerability affecting\r\nASA and Firepower Threat Defense remote access VPNs. According to the advisory, CVE-2023-20269 arises\r\nfrom improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN\r\nfeature and the HTTPS management and site-to-site VPN features. Successful exploitation could allow an\r\nunauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 6 of 7\n\npassword combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an\r\nunauthorized user.\r\nCVE-2023-20269 is being exploited in the wild and is related to some of the behavior Rapid7 has observed and\r\noutlined in this blog. A software update for Cisco ASA and FTD is pending. In the meantime, Cisco has\r\nworkarounds and additional information in their advisory.\r\nDownload Rapid7's 2023 Mid-Year Threat Report ▶︎\r\nSource: https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nhttps://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/"
	],
	"report_names": [
		"under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns"
	],
	"threat_actors": [
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434514,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d60039b9dff51292c5cfff2a435b1e9747cf3f17.pdf",
		"text": "https://archive.orkl.eu/d60039b9dff51292c5cfff2a435b1e9747cf3f17.txt",
		"img": "https://archive.orkl.eu/d60039b9dff51292c5cfff2a435b1e9747cf3f17.jpg"
	}
}