CISA Alert: Akira Ransomware Targets Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the Akira ransomware exploiting a vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability, known as CVE-2020-3259, allows attackers to retrieve memory contents, and although it was patched in May 2020, reports indicate it’s being actively exploited.

Cybersecurity firm found evidence suggesting that Akira ransomware actors have been using this vulnerability to compromise vulnerable Cisco Anyconnect SSL VPN appliances over the past year. Security researcher noted that there is no publicly available exploit code for CVE-2020-3259, indicating that threat actors exploiting it, like Akira, would need to buy or create the exploit code themselves.

Akira is one of the 25 groups with newly established data leak sites in 2023, with nearly 200 publicly claimed victims. The group has been active since March 2023 and is believed to have connections with the Conti syndicate, based on ransom proceeds being routed to Conti-affiliated wallet addresses. In the fourth quarter of 2023, Akira listed 49 victims on its data leak portal.

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to protect their networks against potential threats like Akira.

CVE-2020-3259 is just one example of vulnerabilities exploited for ransomware attacks. Recent reports show the abuse of CVE-2023-22527 in Atlassian Confluence Data Center and Confluence Server to deploy C3RB3R ransomware, cryptocurrency miners, and remote access trojans.

The U.S. State Department announced rewards for information leading to the identification or location of BlackCat ransomware gang key members and its affiliates, highlighting the significant profits made by ransomware-as-a-service (RaaS) schemes like Hive and BlackCat.

The ransomware landscape continues to evolve, with new players like Alpha emerging. There are indications that Alpha could be connected to the now-defunct NetWalker ransomware operation. The U.S. Government Accountability Office (GAO) called for enhanced oversight into recommended practices for addressing ransomware, especially for critical sectors like manufacturing, energy, healthcare, and transportation systems.

Safeguard your organization against the Akira ransomware by regularly updating your Cisco ASA/FTD software with the latest patches from Cisco. Implement robust cybersecurity measures, including strong password policies, regular software updates, and user education on identifying phishing attacks. Additionally, consider deploying endpoint protection solutions and monitoring tools to detect and respond to threats promptly.