11 September 2023

Cisco releases interim workaround for a VPN zero-day exploited by Akira, LockBit ransomware


Cisco releases interim workaround for a VPN zero-day exploited by Akira, LockBit ransomware

The networking giant Cisco has issued an interim workaround to address a zero-day vulnerability exploited by the Akira and LockBit ransomware operations while it’s working on a full patch.

Tracked as CVE-2023-20269, the vulnerability exists in the remote access VPN feature of Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software stacks. The issue stems from the improper separation of authentication, authorization, and accounting between the remote VPN feature, the HTTPS management, and site-to-site VPN features. The flaw can be used by a remote hacker to perform a brute-force attack and establish a clientless SSL VPN session with an unauthorized user.

However, the vulnerability does not allow attackers to bypass authentication.

“To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured,” the company noted.

In August, cybersecurity firm Rapid7 reported it observed an increase in attacks targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023.

In some cases, threat actors conducted credential stuffing attacks that leveraged weak or default passwords, in others, performed targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users. In several incidents, the attackers deployed the Akira and LockBit ransomware onto the compromised systems.

The company said it identified at least 11 victims who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023.

In addition, Cisco released security fixes to address multiple vulnerabilities, including a high-risk flaw (CVE-2023-20238) in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform that could be exploited by a remote attacker to bypass the authentication process.

Back to the list

Latest Posts

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

Gold Melody IAB exploits flaws in Oracle, Apache, Sitecore software to hack into corporate networks

The group relies on web shells, built-in operating system utilities, and proprietary RATs.
21 September 2023
Piilopuoti dark web marketplace shut down by police

Piilopuoti dark web marketplace shut down by police

The Finnish Customs said it seized Piilopuoti’s servers and extracted their content.
20 September 2023
New ShroudedSnooper group targets telcos in the Middle East

New ShroudedSnooper group targets telcos in the Middle East

The threat actor exploits internet-facing servers and deploys HTTPSnoop to gain initial access.
20 September 2023