Cisco has patched a zero-day vulnerability, CVE-2023-20269, found in its Virtual Private Network (VPN) products. This flaw was discovered in the remote access VPN feature of Cisco's Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. The bug, which had a Common Vulnerability Scoring System (CVSS) score of 5.0, was being exploited by the Akira Ransomware group.
The vulnerability was due to an insufficient separation of authentication, authorization, and accounting (AAA). This allowed potential unauthorized access into VPN sessions and made it possible for hackers to extract valid credentials. The Akira Ransomware group, which emerged in March 2023, began targeting VPNs as a key attack vector. The group not only aims to breach corporate defenses but also to infiltrate deeper into systems, encrypting and extracting data with high precision. The group exploits exposed applications or services, particularly VPNs, and finds weaknesses in multi-factor authentication (MFA) to gain access to target networks.
Once inside, the Akira Ransomware group uses LSASS (Local Security Authority Subsystem Service) dumps to obtain credentials and further infiltrate the network. The group also uses readily available tools such as PCHunter64 or creates minidumps to gather information or move within the network. In August 2023, Cisco's Product Security Incident Response Team (PSIRT) detected attempts to exploit the CVE-2023-20269 vulnerability. Cisco has advised its users to upgrade to a fixed software release as soon as possible and has suggested implementing one of their recommended workarounds in the meantime.