CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

February 16, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the Akira ransomware group exploiting a previously patched security flaw in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability, known as CVE-2020-3259, has been added to CISA's Known Exploited Vulnerabilities catalog due to its use in Akira ransomware attacks.

Cisco patched the high-severity information disclosure issue, which could allow an attacker to access memory contents on a compromised device, in May 2020. However, cybersecurity firm Truesec has found evidence that the Akira ransomware actors have weaponized this vulnerability to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

Heresh Zaremand, a security researcher, stated that "There is no publicly available exploit code for [...] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability."

Akira is among the 25 groups with newly established data leak sites in 2023, publicly claiming nearly 200 victims. Connections have been found between the group and the notorious Conti syndicate, as ransom proceeds have been sent to Conti-affiliated wallet addresses. In the last quarter of 2023, Akira listed 49 victims on its data leak portal.

Federal Civilian Executive Branch (FCEB) agencies are mandated to fix identified vulnerabilities by March 7, 2024, to protect their networks from potential threats.

Another vulnerability, CVE-2023-22527, found in Atlassian Confluence Data Center and Confluence Server, has been used to deploy C3RB3R ransomware, as well as cryptocurrency miners and remote access trojans, according to Arctic Wolf Labs.

The U.S. State Department has announced rewards of up to $10 million for information leading to the identification or location of BlackCat ransomware gang key members. An additional reward of up to $5 million is being offered for information leading to the arrest or conviction of its affiliates.

The ransomware landscape continues to attract cybercriminals seeking quick financial gain, leading to the emergence of new players such as Alpha and Wing. The U.S. Government Accountability Office (GAO) has called for improved oversight into recommended practices for addressing ransomware, particularly for organizations in critical sectors such as manufacturing, energy, healthcare, public health, and transportation systems.

Related News

• C3RB3R Ransomware Exploits Confluence Vulnerability
• Critical Atlassian Confluence RCE Flaw Under Active Exploitation
• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions

Latest News

• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
• Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day
• Critical RCE Vulnerability in Microsoft Outlook: Easy to Exploit, Hard to Defend
• Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
• Microsoft's February 2024 Patch Tuesday Addresses 73 Flaws and Two Zero-Days