Cisco warned that threat actors are targeting two AnyConnect flaws disclosed in 2020, following an advisory from CISA on Monday regarding exploitation activity.
On Tuesday, Cisco updated its advisories from 2020 for two vulnerabilities in its AnyConnect Secure Mobility Client for Windows, tracked as CVE-2020-3433 and CVE-2020-3153. The first was ranked as critical because it could allow an attacker with valid credentials to perform DLL hijacking and execute code on affected Windows machines, but patches have been available for both flaws since 2020.
"The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory," Cisco wrote. "In October 2022, the Cisco PSIRT became aware of additional attempted exploitation of this vulnerability in the wild."
The Cybersecurity and Infrastructure Security Agency (CISA) added six vulnerabilities to its list of Known Exploited Vulnerabilities (KEV) on Monday, including the two Cisco flaws. Entries in the catalog, which documents more than 800 vulnerabilities, are based on active exploitation and pose a significant risk to enterprise and government security.
The flaws listed are intended to be prioritized for remediation because they are a "frequent attack vector for malicious cyber actors," the CISA notice said. CISA includes a due date by which federal civilian executive branch agencies are required to patch such vulnerabilities.
Cisco AnyConnect Secure Mobility Client provides VPN-like functionality for remote workers. The use of VPNs skyrocketed in 2020 during the pandemic and the massive shift to remote work. As a result, interest also skyrocketed from attackers, including nation-state groups, as they increasingly targeted known VPN vulnerabilities.
The "2022 VPN Risk Report" by Zscaler showed that the threat continues, as nearly 100% of surveyed participants reported their companies are using a VPN, and many with more than one gateway. In addition, more than 40% said they witnessed an increase in exploits targeting the company's VPN since employees transitioned to remote work.
CISA did not expand on the scope of exploitation for the Cisco AnyConnect flaws or provide additional information on the adversary, but as with other entries on the list, the agency recommended applying updates per vendor instructions.
It's unclear who is exploiting the vulnerabilities, the attack scale or who first observed exploitation.
UPDATE: A Cisco spokesperson sent the following statement to TechTarget Editorial:
"Cisco is committed to transparency. When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. In 2020, Cisco published two security advisories disclosing vulnerabilities in Cisco AnyConnect Secure Mobility Client for Windows. In October 2022, Cisco PSIRT became aware of additional attempted exploitation of these vulnerabilities in the wild and updated the security advisories accordingly. Fixed software is available for these vulnerabilities, and Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities. Please refer to the specific security advisories for the latest information."
The spokesperson also said that Cisco PSIRT monitors CISA's KEV catalog and "updates our security advisories as appropriate."
Other additions Monday to the KEV catalog included four flaws found in multiple driver products from Gigabyte Technology, a global hardware manufacturer based in Taiwan. While the flaws were assigned CVEs in 2018, Gigabyte did not issue fixes until 2020.
One flaw, tracked as CVE-2018-19320, was used in RobbinHood ransomware attacks that Sophos reported in 2020. Another flaw, tracked as CVE-2018-19323 and ranked as critical, could be leveraged by attackers to elevate privileges.
The only zero-day vulnerability recently added to the KEV list affected iOS and iPadOS, which Apple disclosed and patched on Monday. Tracked as CVE-2022-42827, the flaw could allow applications to perform code execution with kernel privileges.