Security News > 2024 > January > Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks
Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations' systems.
In eight of security company TrueSec's most recent incident response engagements that involved Akira and Cisco's AnyConnect SSL VPN as the entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords - la CitrixBleed.
TrueSec said that because there is no publicly available exploit code for the Cisco vulnerability, it means cybercriminals like those working for Akira would either need to have bought that exploit from somewhere or developed one of their own, which would require a deep understanding of the flaw.
Akira is long known to be targeting Cisco VPNs as the initial access vector for ransomware attacks, but the possible exploitation of the old vulnerability is the new finding here.
"If your organization is running Cisco AnyConnect, and assuming the device has been patched since a fix for CVE-2020-3259 was available, it is highly recommended that you backtrack when your device was upgraded to a non-vulnerable version," he added.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/31/cisco_vuln_akira_attacks/
Related news
- AutoCanada says ransomware attack "may" impact employee data (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Embargo ransomware escalates attacks to cloud environments (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Ransomware attack forces UMC Health System to divert some patients (source)
- Underground ransomware claims attack on Casio, leaks stolen data (source)
- Casio confirms customer data stolen in a ransomware attack (source)
- Schools bombarded by nation-state attacks, ransomware gangs, and everyone in between (source)
- BianLian ransomware claims attack on Boston Children's Health Physicians (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-05-06 | CVE-2020-3259 | Unspecified vulnerability in Cisco products A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. | 7.5 |