Akira Ransomware Attacks Exploit Zero-Day Cisco ASA Vulnerability

In recent updates, there have been emerging reports about threat actors associated with the Akira ransomware focusing their attention on Cisco VPNs that do not employ multi-factor authentication (MFA).

This particular security vulnerability, designated as CVE-2023-20269, could potentially result in unauthorized access to VPN connections, thereby heightening concerns about the security of remote access setups.

Cisco has formally recognized these reports and the instances that have been observed, in which organizations lacking MFA protection on their VPNs have been susceptible to unauthorized access.

Vulnerability details

CVE-2023-20269 affects Cisco ASA and FTD devices, primarily in their web services interface. It stems from a lack of proper separation between authentication, authorization, and accounting (AAA) functions, potentially allowing attackers to manipulate or compromise credentials by sending malicious authentication requests to the web interface.

As these requests lack access restrictions, the attacker can employ unlimited Brute Force techniques to try countless combinations of usernames and passwords, without speed limits or abuse bans.

To facilitate brute force attacks, the Cisco device must meet the following prerequisites:

1. At least one user must have a password configured in the LOCAL database, or HTTPS management authentication should point to a valid AAA server.
2. SSL VPN should be enabled on at least one interface, or IKEv2 VPN must be enabled on at least one interface.

In scenarios involving a targeted device running Cisco ASA Software Release 9.16 or later, upon successful certification, the attacker can initiate a clientless SSL VPN session without requiring additional authorization.

To initiate the targeted clientless SSL VPN session for device compliance, the following conditions must be met:

1. The attacker must possess valid credentials for a user existing either in the local database or within the AAA server employed for HTTPS management authentication. These credentials may be acquired through brute force attack methods.
2. The device should be operating on Cisco ASA Software Release 9.16 or an earlier version.
3. At least one interface must have SSL VPN enabled.
4. The DfltGrp policy must permit clientless SSL VPN access.

While awaiting the release of a security update from Cisco to address CVE-2023-20269, system administrators are advised to take the following precautionary measures:

1. Employ DAP (Dynamic Access Policies) to halt VPN tunnels associated with DefaultADMINGroup or DefaultL2LGroup.
2. Impede access by modifying the vpn-simultaneous-logins setting to zero in the Default Group Policy (DfltGrpPolicy). Additionally, ensure that all VPN session profiles reference a custom policy.
3. Implement restrictions within the local user database by using the “group-lock” option to confine specific users to a single profile. Prevent VPN installations by setting “vpn-simultaneous-logins” to zero.