Ransomware Exploits a Cisco Zero Day

When we patch operating systems, it is often fairly seamless, but if we need to patch hardware devices, it can cause much greater problems. This is because to need to locate all our hardware and update their firmware. A particular problem is when the devices involved in networking and can be exposed to external actors.

Now, Cisco devices are identified with a medium-level threat defined as CVE-2023–20269 [here]. This focuses on the VPN features of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The threat can involve a remote attacker being able to brute force the device in order to identify valid username and password combinations or to create a clientless VPN session for an unauthorized user. This involved an adversary running through username-password combinations until they find a valid one.

This zero-day has been known about since August, and that ransomware adversaries (including the Akira ransomware gang) are already exploiting the vulnerability. On 29 August, Rapid7 already reported that 11 customers reported had Cisco ASA-related intrusions for Akira and LockBit [here]:

And example of failed logins is:

The most commonly tried usernames were: admin, adminadmin, backupadmin, kali, cisco, guest, accounting, developer, ftp user, training, test, printer, echo, security, inspector, test test, and snmp.

On the Dark Web, there is evidence of access brokers offering the breaking of SSL VPN brute forcing for $10,000:

Conclusions

In order to detect the intrusion, network administrators should enable loggin on remote syslog server. At present, there is no patch for this, but, it would be hoped that most organisations will use strong login credentials and (hopefully) multi-factor authentication (MFA). Otherwise, administrators should upgrade to the latest release.