Security News > 2024 > January > Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks
Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations' systems.
In eight of security company TrueSec's most recent incident response engagements that involved Akira and Cisco's AnyConnect SSL VPN as the entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords - la CitrixBleed.
TrueSec said that because there is no publicly available exploit code for the Cisco vulnerability, it means cybercriminals like those working for Akira would either need to have bought that exploit from somewhere or developed one of their own, which would require a deep understanding of the flaw.
Akira is long known to be targeting Cisco VPNs as the initial access vector for ransomware attacks, but the possible exploitation of the old vulnerability is the new finding here.
"If your organization is running Cisco AnyConnect, and assuming the device has been patched since a fix for CVE-2020-3259 was available, it is highly recommended that you backtrack when your device was upgraded to a non-vulnerable version," he added.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/31/cisco_vuln_akira_attacks/
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-06 | CVE-2020-3259 | Unspecified vulnerability in Cisco products A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. | 7.5 |