The Akira ransomware group is likely exploiting an already patched vulnerability in Cisco appliances as an entry point to targeted networks, researchers from TrueSec believe.
The theory is based on the observation that in eight incidents investigated by TrueSec that involved the Akira ransomware and Cisco AnyConnect SSL VPN devices used as an entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The flaw is an information disclosure issue in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software that can be used by a remote threat actor to access sensitive information.
The researchers noted that at present there’s no public exploit for this flaw, so operators behind Akira would have either bought the exploit code or developed the exploit themselves.
“If your organization is running Cisco Anyconnect, and assuming the device has been patched since a fix for CVE-2020-3259 was available, it is highly recommended that you backtrack when your device was upgraded to a non-vulnerable version,” TrueSec’s Heresh Zaremand wrote in an advisory. “This is important as it is not possible to determine for how long this vulnerability has been exploited. For instance, if your backtracking shows that your devices were upgraded 6 months ago, then it is sound to consider any username and password used for the Anyconnect SSL VPN which has not changed in the last 6 months as compromised. A broad password reset is therefore highly recommended.”
The Akira ransomware has been in operation since March 2023, with the threat actors behind the malware claiming to have hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group employs a double extortion scheme, which includes exfiltrating data prior to the encryption of devices within the targeted network. The group is believed to be an offshoot of the notorious now-defunct Conti ransomware operation, believed to have ties to the Russian intelligence service (FSB).
Most recently, Akira has targeted Finnish IT services and enterprise cloud hosting provider Tietoevry, affecting one of the company’s data centers in Sweden. As a result, the incident impacted many Swedish businesses and organizations, including the country’s largest cinema chain, Filmstaden, retail chain Rusta, construction materials provider Moelven, farming supplier Grangnården, and several universities and colleges, as well as several government agencies and municipalities.