Akira Ransomware Gang Exploiting Cisco ASA Zero-Day


September 11, 2023

World map

The Akira ransomware gang has been remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute-force attacks since at least August, the company said.

“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Security Weekly reports.

“In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime.”

Cisco is said to be working on security updates to remedy the vulnerability in both Cisco ASA and FTD software.

Takeaway: Today’s ransomware attacks employ techniques that are far advanced from the ransomware campaigns of even just a year or two ago.  

Attackers are reinvesting ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster.

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

It is highly unusual to see ransomware gangs using zero-days in attacks, as these exploits are valuable and usually leveraged in nation-state operations as opposed to cybercriminal attacks.

Overall, attackers are automating scans looking for vulnerable applications to exploit as we have seen in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs.

They are also creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

But the marked increase in the exploitation of zero-day vulnerabilities by ransomware gangs is concerning, and further evidence that criminal actors are employing increasingly complex techniques that we used to only see in nation-state operations.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.