Cisco Zero-day Targeted by Ransomware Gangs Akira

Cisco Zero-day Targeted by Ransomware Gangs Akira

Cisco, a prominent provider of network infrastructure solutions, has issued a critical warning concerning a newly discovered zero-day vulnerability identified as CVE-2023-20269. This security loophole presents a substantial threat, as it is currently being actively exploited by ransomware groups to illicitly access corporate networks.


The primary targets of this cyber assault are Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability, classified as having medium severity, revolves around the Virtual Private Network (VPN) functionality within Cisco ASA and FTD Software.


It affords malicious actors the capability to execute brute force attacks against pre-existing user accounts, ultimately resulting in unauthorized access to the victim's network. Following the compromise of user accounts, cybercriminals can establish clientless SSL VPN sessions within the breached organization's network.


The implications of such unauthorized access are diverse, contingent upon the configuration of the victim's network. Recent reports have brought to light the consistent exploitation of Cisco VPN devices by the Akira ransomware gang, leading cybersecurity experts to suspect an undisclosed vulnerability as the initial point of entry. Subsequently, the Lockbit ransomware operation was also discovered to be capitalizing on an undocumented security flaw within Cisco VPN devices.

Figure 1: Facet Analysis Cisco ASA


It is noteworthy that this vulnerability may lead to unauthorized remote attackers conducting brute force attacks against existing accounts, and it impacts Cisco ASA Software Release 9.16 or earlier versions. Our cyberdefenseinsight team has observed that there are still a significant number of Cisco ASA devices globally utilizing outdated versions, potentially making them vulnerable. There are approximately 52,447 publicly exposed devices.

Figure 2: Cisco ASA Exposed Indonesia Server


Specifically within Indonesia, our cyberdefenseinsight team has identified 130 publicly exposed Cisco ASA devices. While the exact versions of these devices are not discernible, they may fall within the spectrum of potentially vulnerable versions seen globally.


Although the versions discovered by our cyberdefenseinsight team are considerably older and may not be susceptible to CVE-2023-20269, they could be vulnerable to other exploits that have been targeted by ransomware groups like the Akira ransomware gang, which has been known to target Cisco VPN Devices.


This information serves as a critical reminder of the importance of promptly updating and securing network infrastructure to protect against evolving cybersecurity threats.

To mitigate the CVE-2023-20269 vulnerability in Cisco ASA and FTD Software and protect your network, consider implementing the following measures:

  • Dynamic Access Policies (DAP): Utilize DAP configurations to halt the formation of VPN tunnels with DefaultADMINGroup or DefaultL2LGroup. This helps prevent unauthorized VPN session establishment using these default connection profiles.
  • Default Group Policy Restrictions: Prevent the establishment of VPN sessions with DefaultADMINGroup or DefaultL2LGroup by setting the `vpn-simultaneous-logins` option to zero in the default group policy (DfltGrpPolicy). Ensure that all VPN session profiles are directed to a custom policy.
  • Restrict Users in the LOCAL User Database: For users in the LOCAL user database who should not be able to establish remote access VPN tunnels, use the 'group-lock' option in username attributes to lock specific users to a single profile. Additionally, prevent VPN setups by setting 'vpn-simultaneous-logins' to zero in the user attributes configuration.
  • Securing Default Remote Access VPN Profiles: Secure DefaultRAGroup and DefaultWEBVPNGroup connection profiles by pointing them to a sinkhole AAA server (dummy LDAP server). This helps prevent authentication attempts and VPN session establishment using default profiles.
  • Enable Logging: Activate logging to a remote syslog server for improved monitoring and early detection of potential attack incidents. Monitoring logs is crucial for detecting and responding to security threats.
  • Implement Multi-Factor Authentication (MFA): Implement MFA in your VPN configuration to enhance security. MFA adds an extra layer of protection, requiring a second factor for authentication. Even if attackers manage to brute-force credentials, they won't be able to establish VPN connections without the second factor.

Additionally, Cisco recommends updating the software to a fixed version when a software update becomes available. Although a software update is not currently available, monitoring for updates from Cisco is an important step to address this vulnerability as soon as an update is released. Meanwhile, for remote versions that may be vulnerable, update them as soon as possible.

0 Comments