January 31, 2024 at 12:52PM
Security researchers suspect the Akira ransomware group may be using a four-year-old Cisco vulnerability as an entry point into organizations’ systems. TrueSec’s recent engagements revealed Akira exploiting Cisco’s AnyConnect SSL VPN vulnerability, potentially allowing access to usernames and passwords. Organizations are advised to apply patches, reset passwords, and consider implementing multi-factor authentication. The security community notes the possible connection between offensive security research and both cybercriminals and nation states, highlighting the importance of vigilance in cybersecurity practices.
The meeting notes cover the findings regarding the Akira ransomware group’s potential exploitation of a four-year-old Cisco vulnerability and its patterns of attack. The key takeaways are as follows:
1. Akira ransomware group may be exploiting a nearly four-year-old Cisco vulnerability – CVE-2020-3259 – in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software to gain unauthorized access to organizations’ systems.
2. TrueSec’s recent incident response engagements revealed that at least six of the devices involved were running versions vulnerable to CVE-2020-3259.
3. Akira is known to target Cisco VPNs as the initial access vector for ransomware attacks, and the potential exploitation of this old vulnerability is a new finding.
4. Security researchers noted that there is no publicly available exploit code for the Cisco vulnerability, suggesting that cybercriminals like those working for Akira would need deep understanding of the flaw to develop their own exploits.
5. An incident analysis highlighted patterns of malicious behavior, including the use of genuine credentials by attackers, compromised accounts with distinct usernames and unique passwords, and no evidence of phishing or password attacks in restored logs.
6. Organizations are urged to backtrack device upgrades to non-vulnerable versions of Cisco AnyConnect and consider initiating broad password resets and resetting other secrets or pre-shared keys in the device’s configuration.
7. Enabling Multi-Factor Authentication (MFA) and applying patches for Cisco AnyConnect is advised for organizations following a potential attack.
8. The vulnerability (CVE-2020-3259) was discovered by Russian security research outfit Positive Technologies, which was subsequently placed on the US sanctions list, raising concerns about the potential intersection of offensive security research and nation states or cybercriminals.
These takeaways highlight the critical implications of the Akira ransomware group’s potential exploitation of a Cisco vulnerability and provide essential guidance for organizations to enhance their security measures.