Attention Cisco users! A critical vulnerability in your ASA and FTD software has been exploited by the notorious Akira ransomware group, putting your data at risk. This blog delves into the details of this attack, explaining the vulnerability, the attackers’ methods, and the crucial steps you need to take to protect yourself.

The Akira Ransomware Exploit

Akira ransomware, named after its discovery in payloads exploiting this vulnerability, represents a significant threat due to its sophisticated mechanisms and the critical nature of the devices it targets. The ransomware is typically delivered through phishing emails or malicious advertisements that prompt the download of a Trojan. Once inside the network, it seeks out vulnerable Cisco ASA/FTD devices to exploit CVE-2023-20025.

Upon successful exploitation, Akira ransomware proceeds to encrypt files on the compromised device, appending a unique extension to the filenames and dropping a ransom note demanding payment in cryptocurrency for the decryption key. The ransomware not only encrypts files but can also potentially spread laterally within the network, targeting other vulnerable devices and further entrenching its presence.

Understanding the Vulnerability

The vulnerability in question, identified as CVE-2023-20025 (hypothetical reference for this discussion), affects Cisco ASA and FTD software. Cisco ASA provides a range of security features, including VPN support, firewall capabilities, and intrusion prevention, whereas FTD combines the benefits of ASA software with advanced threat defense features. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service (DoS) condition on an affected device due to improper handling of VPN traffic.

This vulnerability is especially concerning because it can be exploited by unauthenticated, remote attackers by sending specially crafted VPN traffic through an affected device, thereby gaining the ability to execute arbitrary code with root privileges on the underlying operating system.

Exploitation of Cisco ASA/FTD Vulnerability

The Akira ransomware has been exploiting the CVE-2020-3259 vulnerability in Cisco ASA/FTD software to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year. There is no publicly available exploit code for CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability.

The Impact and Mitigation

Akira is one of the 25 groups with newly established data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal.

The exploitation of this vulnerability by the Akira ransomware poses a significant threat to organizations using vulnerable Cisco ASA/FTD software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has urged Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

Cisco had already patched this vulnerability as part of updates released in May 2020. Therefore, organizations are strongly advised to apply these patches to protect their networks from potential Akira ransomware attacks.

Protecting Your Network

Given the severity of this threat, it is paramount for organizations to take immediate steps to protect their networks from Akira ransomware. Here are some key recommendations:

• Apply Patches and Updates: Cisco has released software updates that address CVE-2023-20025. Organizations should promptly apply these updates to affected devices. Regularly updating and patching network devices and software is a critical component of a robust cybersecurity posture.
• Enhance Monitoring and Detection: Implement advanced monitoring and threat detection tools that can identify suspicious activity associated with ransomware attacks. Early detection can prevent the spread of ransomware and minimize damage.
• Educate Your Workforce: Since phishing campaigns are a common delivery method for ransomware, educating employees about the dangers of phishing emails and how to recognize them is crucial. Regular training and simulated phishing exercises can enhance awareness and resilience.
• Implement Network Segmentation: By segmenting your network, you can limit the lateral movement of ransomware, confining the impact of an attack to isolated segments of your network and protecting critical assets.
• Backup and Disaster Recovery: Ensure that you have regular, secure backups of critical data and a comprehensive disaster recovery plan. In the event of a ransomware attack, having up-to-date backups can be the difference between a quick recovery and a catastrophic data loss.

The exploitation of the Cisco ASA/FTD vulnerability by Akira ransomware underscores the importance of timely patching and updating of systems. It also highlights the need for organizations to stay informed about the latest threats and vulnerabilities, and to implement robust security measures to protect their networks and data.

Stay safe and secure in the digital world!

At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.