A recently disclosed Cisco VPN vulnerability, identified as CVE-2023-20269, has been targeted by the Akira ransomware group in attempted cyberattacks. The flaw, categorized as medium-severity, impacts the remote access VPN functionality in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability could potentially allow a remote attacker, either unauthenticated or authenticated, to carry out a brute force attack aimed at identifying valid username and password combinations or to establish a clientless SSL VPN session with an unauthorized user.
Cisco’s advisory, released on a Wednesday, explained that this vulnerability arose due to a lack of proper separation between authentication, authorization, and accounting (AAA) in the remote access VPN feature and the HTTPS management and site-to-site VPN features.
Notably, Cisco reported that it became aware of “attempted exploitation” of this vulnerability in the wild last month. This activity was linked to the Akira ransomware gang, as part of their broader campaign targeting Cisco VPNs that was disclosed on August 24. Cisco had noted that multiple ransomware groups, including Akira, LockBit, and Trigona, were taking advantage of VPNs that lacked multifactor authentication.
As of the time of this report, no software update had been released to address the vulnerability. However, Cisco did provide indicators of compromise and suggested several workarounds for customers using affected ASA and FTD software versions. These workarounds include configuring dynamic access policies, implementing restrictions on VPN remote access and other access controls, as well as enabling detailed logging.
When asked about the status of a patch for CVE-2023-20269, Cisco declined to comment but strongly recommended that customers apply one of the provided workarounds and carefully review the guidance shared in the advisory. They also urged customers to promptly upgrade to a fixed software release once it becomes available.
The Akira ransomware gang, a relatively new threat group first detected in March, employs various extortion tactics, including stealing and publicly disclosing victims’ sensitive data. Their activity increased significantly in the spring, with nearly 30 reported victims in May, making them one of the top five most active ransomware groups that month, according to observations from NCC Group.