A zero-day vulnerability in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been targeted by the Akira ransomware gang. The vulnerability, known as CVE-2023-20269, is a medium-severity flaw that affects the remote access VPN features of Cisco’s software. It allows attackers to conduct brute force attacks and establish unauthorized clientless SSL VPN sessions.
Cisco published an advisory stating that the vulnerability was due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker can exploit this vulnerability by specifying a default connection profile or tunnel group during a brute force attack or while establishing a clientless SSL VPN session with valid credentials.
The attempted exploitation of this vulnerability was reported by Cisco last month. The Akira ransomware gang, along with other ransomware actors like LockBit and Trigona, have been targeting a wide range of VPNs that are not configured for multifactor authentication. Cisco has recommended multiple workarounds for customers with affected software versions, including configuring dynamic access policies, restricting VPN remote access, and enabling logging. However, no software update has been released yet.
When asked about the status of the patch for CVE-2023-20269, Cisco declined to comment but advised customers to apply the suggested workarounds and upgrade their software once a fixed release is available. Cisco has also provided indicators of compromise to help customers identify if their systems have been targeted.
The Akira ransomware gang is relatively new and was first observed in March. Cisco has identified several extortion methods used by the group, including stealing and publishing sensitive data of victims. In May, there was a sharp increase in Akira activity, with nearly 30 reported victims, making it the fifth most-active ransomware gang that month.
Overall, this Cisco VPN flaw and its exploitation by the Akira ransomware gang highlight the importance of implementing strong security measures, such as multifactor authentication, to protect against potential attacks. It is crucial for organizations to stay vigilant, apply recommended workarounds, and upgrade to fixed software releases as soon as they become available to mitigate the risk of cyber threats.