Security News > 2024 > February > Akira, LockBit actively searching for vulnerable Cisco ASA devices

Akira, LockBit actively searching for vulnerable Cisco ASA devices
2024-02-08 12:22

Akira and Lockbit ransomware groups are trying to breach Cisco ASA SSL VPN devices by exploiting several older vulnerabilities, security researcher Kevin Beaumont is warning.

"But the problem is nobody has complete visibility of what exploits actually exist," he added, and advised admins to upgrade to the latest ASA release on all devices that have the AnyConnect SSL VPN feature enabled on the device's interface.

Cisco ASA devices are widely deployed in organizations of all sizes, and are regularly targeted by attackers via unpatched vulnerabilities, credential stuffing and targeted brute-force attacks.

PoCs for patched vulnerabilities surface often, making the attackers' work easier, but they are also either creating their own exploits or buying them from somewhere: Truesec researchers have recently flagged Akira's likely exploitation of CVE-2020-3259, for which there is no known public exploit.

Though an exploit for CVE-2020-3580, a cross-site scripting vulnerability affecting Cisco ASA and FTD devices, was leveraged by attackers in 2021, ransomware groups are obviously hoping that many organizations are VERY slow to patch.

"I've just been looking at data from GreyNoise and other firms. There has been a significant uptick in scanning for Cisco AnyConnect VPN devices," Beaumont also noted on Wednesday.


News URL

https://www.helpnetsecurity.com/2024/02/08/ransomware-cisco-asa-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-10-21 CVE-2020-3580 Cross-site Scripting vulnerability in Cisco products
Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device.
network
low complexity
cisco CWE-79
6.1
2020-05-06 CVE-2020-3259 Unspecified vulnerability in Cisco products
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information.
network
low complexity
cisco
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 4416 230 3110 1857 603 5800