17 October 2023
Ransomware groups including LockBit and Akira are reportedly exploiƟng a zero-day vulnerability (CVE-2023- 20269) in the VPN feature of Cisco’s Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, to gain access to corporate networks.
Initial delivery is achieved by exploiting public-facing service or applications. Weaknesses in multi-factor authentication (MFA) are oteen targeted as well as known vulnerabilities in VPN software. Attackers attempt to dump credentials though LSASS dumps, for further lateral movement and privilege escalation where necessary.
There are workarounds to address this vulnerability, in addiƟon to official software updates from Cisco.
- An unauthenticated remote attacker can conduct brute force attacks to identify valid credentials of existing accounts to establish unauthorized remote access VPN sessions.
- An authenticated remote attacker can establish clientless SSL VPN sessions (only when running Cisco ASA Software Release 9.16 or earlier)
- Attackers can gain access to customers’ Cisco VPN solution
At the time of publication, this vulnerability affected Cisco devices running a vulnerable release of Cisco ASA or FTD Software. The exact conditions to determine whether a device is vulnerable depend on the desired outcome.
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of Cisco’s advisory.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower Management Center (FMC) Software
- FXOS Software
- IOS Software
- IOS XE Software
- IOS XR Software
- NX-OS Software
- Install Cisco’s latest software updates to ensure this vulnerability is patched.
- Enable multi-factor authentication (MFA).
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
See section “Workarounds” in Cisco’s security advisory for more details.