Akira Ransomware Actively Exploiting Cisco AnyConnect Vulnerability
Recent reports have indicated that threat actors have been exploiting the vulnerabilities in the Cisco AnyConnect system in order to gain unauthorized access to networks, compromise sensitive information, and potentially execute malicious activities. This breach allows attackers to bypass security measures, gain unauthorized control over network resources, potentially disrupt operations, engage in cyber espionage, steal data, and deploy ransomware.
Truesec, a cybersecurity firm, recently discovered that Akira ransomware is actively exploiting the CVE-2020-3259 vulnerability in the Cisco AnyConnect system. The Truesec CSIRT found that this ransomware has been actively attacking the Cisco ASA and FTD flaw, tacked as “CVE-2020-3259,” allowing remote attackers to extract usernames and passwords from affected devices.
According to Truesec’s analysis, eight recent incidents of Akira ransomware were linked to the entry point of the Cisco AnyConnect SSL VPN. In six of these incidents, compromised devices were found to be running vulnerable software, while data on the other two devices was inconclusive in terms of the CVE-2020-3259 susceptibility.
This exploit can only occur if the device has AnyConnect SSL VPN enabled on the interface exposed to the attacker, which is typically the internet-facing firewall interface. In addition, specific configurations must be in place for the exploit to work effectively.
In May 2020, Positive Technologies discovered the CVE-2020-3259 vulnerability, but encountered sanctions in April 2021 for alleged ties to Russian Intelligence. Akira ransomware has been linked to the defunct Conti ransomware syndicate, although Truesec does not directly tie Akira’s actions to Russian intelligence. They have, however, warned of the potential risks to Western defenses from shared offensive security research.
Security experts have also provided recommendations for organizations using the Cisco AnyConnect system. It is crucial for these organizations to track when their device was updated following the disclosure of CVE-2020-3259. Even if a patch has been applied, there may still be indicators of prior exploitation, so it is recommended to reset passwords and change any other device secrets immediately.
Additionally, organizations are advised to enable multi-factor authentication wherever possible, enforce password changes after a version upgrade, update secrets and pre-shared keys in device configurations, and confirm that logging is active across all systems.
In conclusion, it is crucial for organizations to fully understand the risks associated with the exploitation of the Cisco AnyConnect vulnerability and take appropriate measures to secure their systems and protect sensitive information. It is also important for security professionals to remain updated and follow best practices in order to mitigate potential risks associated with cyber attacks.