Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

By neub9
3 Min Read

Feb 16, 2024NewsroomRansomware / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a security flaw affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability has been exploited in Akira ransomware attacks.

The specific vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), which is a high-severity information disclosure issue that could enable an attacker to access memory contents on an affected device. Cisco patched this vulnerability as part of updates released in May 2020, as stated in their security advisory.

Truesec, a cybersecurity company, revealed evidence which suggests that this vulnerability has been weaponized by the Akira ransomware group to compromise multiple vulnerable Cisco Anyconnect SSL VPN appliances over the past year.

“There is no publicly available exploit code for CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” stated security researcher Heresh Zaremand in a blog post.

According to a report by Palo Alto Networks Unit 42, Akira is one of the 25 groups that established data leak sites in 2023, with the ransomware group claiming nearly 200 victims. Since its emergence in March 2023, the Akira group appears to have connections with the notorious Conti syndicate, evidenced by the fact that it has sent the ransom proceeds to Conti-affiliated wallet addresses.

In the fourth quarter of 2023, the e-crime group listed 49 victims on its data leak portal. Federal Civilian Executive Branch (FCEB) agencies are required to address identified vulnerabilities by March 7, 2024, in order to secure their networks against potential threats.

CVE-2020-3259 is not the only vulnerability being exploited for ransomware attacks. Recently, Arctic Wolf Labs revealed the abuse of CVE-2023-22527 in Atlassian Confluence Data Center and Confluence Server to deploy C3RB3R ransomware, among other malicious activities.

The U.S. State Department also announced rewards for information leading to the identification or location of BlackCat ransomware gang key members, as well as for information leading to the arrest or conviction of its affiliates.

The ransomware landscape has become increasingly lucrative, attracting new players such as Alpha and Wing, and netting substantial profits. The U.S. Government Accountability Office (GAO) has called for enhanced oversight into recommended practices to address ransomware specifically for critical sectors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *