Cisco Agnoskas Nul-Tagan Vundeblecon Ekspluatan de Hackers

ByRoberto Andreo

Sep 8, 2023
Cisco has confirmed the existence of a zero-day vulnerability in its Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) devices. The vulnerability, tracked as CVE-2023-20269, allows hackers to gain unauthorized access through password spraying and brute-forcing.

Password spraying involves using commonly used passwords against a large number of usernames to evade detection, while brute-force attacks use a large number of password guesses against a limited number of usernames. In this case, attackers can exploit the vulnerability by specifying a default connection profile or tunnel group during a brute-force attack or while establishing a clientless SSL VPN session.

The ASA and FTD devices are widely used security appliances that provide firewall, antivirus, intrusion prevention, and virtual private network (VPN) protections. The vulnerability stems from the devices’ improper separation of authentication, authorization, and accounting in remote access among their VPN, HTTPS management, and site-to-site VPN features.

Security firm Rapid7 reported that since March, there have been credential-stuffing and brute-force attacks against ASA devices by a ransomware crime syndicate called Akira. These attacks targeted devices without multi-factor authentication enforced for some or all of its users. Rapid7 identified at least 11 customers who experienced intrusions related to Cisco ASA SSL VPNs between March and August 2023, indicating the widespread impact of these attacks.

In most cases investigated by Rapid7, threat actors attempted to log in to ASA appliances with commonly used usernames, including “adminadmin,” “kali,” “cisco,” and “guest.” While some login attempts were unsuccessful, others were successful on the first try, suggesting the use of weak or default credentials.

Upon successful authentication, threat actors deployed various tools to gain further access to internal assets, including the installation of remote desktop application AnyDesk. The intrusions often culminated in the deployment and execution of Akira or LockBit-related ransomware.

Cisco is currently working on a patch to address the vulnerability, but in the meantime, users are advised to enforce multi-factor authentication and use strong, unique passwords for their ASA and FTD devices.

