Security News > 2024 > January > Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks
2024-01-31 17:45

Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations' systems.

In eight of security company TrueSec's most recent incident response engagements that involved Akira and Cisco's AnyConnect SSL VPN as the entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.

The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords - la CitrixBleed.

TrueSec said that because there is no publicly available exploit code for the Cisco vulnerability, it means cybercriminals like those working for Akira would either need to have bought that exploit from somewhere or developed one of their own, which would require a deep understanding of the flaw.

Akira is long known to be targeting Cisco VPNs as the initial access vector for ransomware attacks, but the possible exploitation of the old vulnerability is the new finding here.

"If your organization is running Cisco AnyConnect, and assuming the device has been patched since a fix for CVE-2020-3259 was available, it is highly recommended that you backtrack when your device was upgraded to a non-vulnerable version," he added.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/31/cisco_vuln_akira_attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-05-06 CVE-2020-3259 Unspecified vulnerability in Cisco products
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information.
network
low complexity
cisco
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 4416 230 3110 1857 603 5800