Alerts and Advisories 17 October 2023

Ransomware Exploiting Zero-Day Vulnerability in Cisco ASA and FTD Software

Advisory

Advisory
17 October 2023

 

Background

Ransomware groups including LockBit and Akira are reportedly exploiƟng a zero-day vulnerability (CVE-2023- 20269) in the VPN feature of Cisco’s Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, to gain access to corporate networks.

Initial delivery is achieved by exploiting public-facing service or applications. Weaknesses in multi-factor authentication (MFA) are oteen targeted as well as known vulnerabilities in VPN software. Attackers attempt to dump credentials though LSASS dumps, for further lateral movement and privilege escalation where necessary.

There are workarounds to address this vulnerability, in addiƟon to official software updates from Cisco.

 

Impact

  • An unauthenticated remote attacker can conduct brute force attacks to identify valid credentials of existing accounts to establish unauthorized remote access VPN sessions.
  • An authenticated remote attacker can establish clientless SSL VPN sessions (only when running Cisco ASA Software Release 9.16 or earlier)
  • Attackers can gain access to customers’ Cisco VPN solution

 

System Affected

At the time of publication, this vulnerability affected Cisco devices running a vulnerable release of Cisco ASA or FTD Software. The exact conditions to determine whether a device is vulnerable depend on the desired outcome.

For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of Cisco’s advisory.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Firepower Management Center (FMC) Software
  • FXOS Software
  • IOS Software
  • IOS XE Software
  • IOS XR Software
  • NX-OS Software

 

Recommendations

  • Install Cisco’s latest software updates to ensure this vulnerability is patched.
  • Enable multi-factor authentication (MFA).
  • Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
  • Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.

Note:

See section “Workarounds” in Cisco’s security advisory for more details.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth- 8LyfCkeC

 

References

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight- akira
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by- ransomware-gangs/