Cisco VPN flaw faces attempted Akira ransomware attacks

A Cisco VPN flaw disclosed last week has faced attempted exploitation at the hands of the Akira ransomware gang.

The zero-day vulnerability, tracked as CVE-2023-20269, is a medium-severity flaw affecting the remote access VPN features in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. It could, according to the networking vendor's advisory, "allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user."

"This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features," the advisory, published Wednesday, read. "An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials."

Notably, Cisco said it became aware of "attempted exploitation" of the flaw in the wild last month, and that the activity was included among activity from the Akira ransomware gang against Cisco VPNs disclosed on Aug. 24. The networking vendor told TechTarget Editorial at the time that ransomware actors Akira, LockBit and Trigona were taking advantage of a wide range of VPNs -- not just Cisco's -- "that are not configured for multifactor authentication."

No software update is available as of publishing time, though Cisco provided indicators of compromise and multiple workarounds to customers with affected ASA and FTD software versions; a version-checking tool is available in the advisory. Workarounds include configuring dynamic access policies, restricting VPN remote access and other access controls. The vendor also recommended enabling logging.

TechTarget Editorial asked Cisco about the status of the patch for CVE-2023-20269. The company declined to comment, though a spokesperson shared the following statement:

Following our well-established disclosure process for reporting security vulnerabilities in our products, on September 6, 2023, Cisco published a security advisory regarding a vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software. We strongly recommend customers apply one of the suggested workarounds, review the recommendations shared in the Advisory and upgrade to a fixed software release once available.

The Akira ransomware gang is a relatively new threat group that was first observed in March. According to Cisco, the gang uses several extortion methods, including stealing and publishing victims' sensitive data. NCC Group observed a sharp increase in Akira activity in the spring with nearly 30 reported victims during May, which made it the fifth most-active ransomware gang that month.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.