Akira, LockBit actively searching for vulnerable Cisco ASA devices

Akira and Lockbit ransomware groups are trying to breach Cisco ASA SSL VPN devices by exploiting several older vulnerabilities, security researcher Kevin Beaumont is warning.

ransomware Cisco ASA vulnerabilities

They are targeting vulnerabilities for which patches have been made available in 2020 and 2023. “But the problem is nobody has complete visibility of what exploits actually exist,” he added, and advised admins to upgrade to the latest ASA release on all devices that have the AnyConnect SSL VPN feature enabled on the device’s (internet-exposed) interface.

Old vulnerabilities haunt many organizations

Cisco ASA devices are widely deployed in organizations of all sizes, and are regularly targeted by attackers (including ransomware groups) via unpatched vulnerabilities, credential stuffing and targeted brute-force attacks.

PoCs for patched vulnerabilities surface often, making the attackers’ work easier, but they are also either creating their own exploits or buying them from somewhere: Truesec researchers have recently flagged Akira‘s likely (but not definitely confirmed) exploitation of CVE-2020-3259, for which there is no known public exploit.

And though an exploit for CVE-2020-3580, a cross-site scripting (XSS) vulnerability affecting Cisco ASA and FTD devices, was leveraged by attackers in 2021, ransomware groups are obviously hoping that many organizations are VERY slow to patch.

“I’ve just been looking at data from GreyNoise and other firms. There has been a significant uptick in scanning for Cisco AnyConnect VPN devices,” Beaumont also noted on Wednesday.

“95% of the IPs doing it are tagged as malicious, not researchers or IoT search engines,” he added. “Many IPs overlap with CitrixBleed exploitation a few months ago by ransomware groups.”

So, you’ve now been warned: get patching (if you haven’t already) or risk being ransomed.

UPDATE (February 22, 2024, 03:55 a.m. ET):

Cisco has updated the security advisory for CVE-2020-3259 to say: “In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”

Don't miss