Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations’ systems.
In eight of security company TrueSec’s most recent incident response engagements that involved Akira and Cisco’s AnyConnect SSL VPN as the entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords – à la CitrixBleed.
TrueSec said that because there is no publicly available exploit code for the Cisco vulnerability, it means cybercriminals like those working for Akira would either need to have bought that exploit from somewhere or developed one of their own, which would require a deep understanding of the flaw.
Akira is long known to be targeting Cisco VPNs as the initial access vector for ransomware attacks, but the possible exploitation of the old vulnerability is the new finding here.
Analysis of past cases has been stymied by the “generally non-existent” network logs in environments, according to Heresh Zaremand, senior consultant at TrueSec, and these were barely even enough to pinpoint AnyConnect as the point of access.
In one recent incident, however, the TrueSec team managed to restore six months of radius authentication logs from an NPS server, the analysis of which revealed a pattern of malicious behavior that heavily hinted towards but didn’t quite prove the use of an exploit.
The researchers’ observations that suggested the likely use of an exploit included:
Attackers authenticating using genuine credentials that had recently been used by the real account holder
Eight different accounts were compromised, though only two were used for lateral movement
Compromised accounts had distinct usernames that didn’t follow any predictable naming conventions, and all used unique passwords
No evidence of phishing campaigns targeting the organization
No evidence of password attacks in the restored logs
No evidence of the credentials for sale on the dark web
Zaremand said there was no way of determining what data an attacker had accessed following an exploit, and that if they did get in, they likely exploited the device multiple times to access different parts of its memory content.
“If your organization is running Cisco AnyConnect, and assuming the device has been patched since a fix for CVE-2020-3259 was available, it is highly recommended that you backtrack when your device was upgraded to a non-vulnerable version,” he added.
“This is important as it is not possible to determine for how long this vulnerability has been exploited. For instance, if your backtracking shows that your devices were upgraded six months ago, then it is sound to consider any username and password used for the AnyConnect SSL VPN which has not changed in the last six months as compromised.”
In such cases, organizations are advised to initiate broad password resets and consider any other secrets or pre-shared keys in the device’s configuration compromised.
Enabling MFA is the de facto advice given to organizations following an attack, and, of course, apply the patches if you haven’t already.
Russia’s ‘prints all over it’
When CVE-2020-3259 was disclosed, there were no known publicly available exploits, and that remains true to this day.
The vulnerability was discovered by Russian security research outfit Positive Technologies in 2020, which was placed on the US sanctions list a year later. According to the US Treasury, Positive Technologies helped Russian intelligence (FSB) with its security services and helped run conventions the FSB used as recruitment events.
Zaremand said TrueSec wasn’t suggesting there are any ties between Akira and Russian intelligence, but offensive security research does appear to end up in the hands of both cybercriminals and nation states.
He also pointed to the widely held belief that Akira, which recently claimed an attack on cosmetics giant Lush, is an offshoot born from Conti’s demise in 2022, and that Conti itself was thought to have had ties to the FSB. ®