Akira Ransomware Gang Exploiting Cisco ASA Zero-Day

The Akira ransomware gang has been remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute-force attacks since at least August, the company said.

‍

“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Security Weekly reports.

‍

“In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime.”

‍

Cisco is said to be working on security updates to remedy the vulnerability in both Cisco ASA and FTD software.

‍

Takeaway: Today’s ransomware attacks employ techniques that are far advanced from the ransomware campaigns of even just a year or two ago.  

‍

Attackers are reinvesting ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster.

‍

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

‍

It is highly unusual to see ransomware gangs using zero-days in attacks, as these exploits are valuable and usually leveraged in nation-state operations as opposed to cybercriminal attacks.

‍

Overall, attackers are automating scans looking for vulnerable applications to exploit as we have seen in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs.

‍

They are also creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

‍

But the marked increase in the exploitation of zero-day vulnerabilities by ransomware gangs is concerning, and further evidence that criminal actors are employing increasingly complex techniques that we used to only see in nation-state operations.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.