CVE-2023-20269: Akira Ransomware Exploits Cisco ASA Vulnerability

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

In August 2023, Akira ransomware was observed to abuse Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products to target many organizations with ransomware attacks. CVE-2023-20269 is a zero-day vulnerability that allows unauthenticated remote attackers to brute force credentials to gain access to vulnerable networks. Adversaries may also exploit this vulnerability to establish a clientless SSL VPN session. Cisco has not released any patch for the CVE-2023-20269 vulnerability yet; however, organizations can apply workarounds to mitigate the vulnerability.

In this blog, we explained how the Akira ransomware group exploited the Cisco CVE-2023-20269 vulnerability and how organizations can mitigate the vulnerability.

Simulate Ransomware Attacks with 14-Day Free Trial of Picus Platform

Akira Ransomware

Akira ransomware was first observed in March 2023 and compromised more than 60 organizations worldwide. The ransomware group is financially motivated and targets mostly small to medium-sized businesses. Similar to other infamous ransomware groups, Akira employs common business models such as Ransomware-as-a-Service and double extortion. Based on their victims and negotiation tactics, the ransomware threat actors appear to be opportunistic attackers that target organizations that did not enable MFA on VPN appliances.

Akira ransomware operators predominantly use compromised credentials to gain initial access to their target's network. Adversaries obtain these credentials through brute force attacks or Initial Access Brokers (IABs) on the dark web. After initial access, threat actors transfer tools and malware for reconnaissance, credential dumping, data exfiltration, and lateral movement. 

MITRE ATT&CK Tactic

Tools used by Akira Ransomware Operators

Discovery

AdFind

Advanced IP Scanner

MASSCAN

PCHunter

SharpHound

Credential Access

LaZagne

Mimikatz

Command and Control (C2)

AnyDesk

Cloudflare Tunnel

MobaXterm

ngrok

Radmin

Exfiltration

FileZilla

rclone

WinSCP

WinRAR

Impact

PsExec

For the final impact, Akira ransomware deletes Volume Shadow copies via WMI and encrypts their victims' files with the ChaCha algorithm. The secret key used in file encryption is generated using CryptGenRandom API and encrypted with the adversary's RSA public key after the encryption is completed. Akira ransomware is very similar to the infamous Conti ransomware in many aspects. They use the same functions, utilize the same encryption algorithm, and encrypt the same file types. It is assumed that Akira used Conti's leaked source code to develop their own. In June 2023, Avast released a decryptor for Akira ransomware. However, threat actors later modified their encryption routine after the release of the decryptor.

Cisco CVE-2023-20269 Zero-Day Vulnerability

In their advisory, Cisco PSIRT disclosed that the VPN feature of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products have a medium severity zero-day vulnerability. The vulnerability allows unauthorized remote adversaries to conduct brute-force attacks against existing accounts. After compromising credentials, attackers can establish a clientless SSL VPN session in the victims' network. CVE-2023-20269 has a CVSS score of 5.0 (Medium); however, it may cause significant damage to organizations depending on their network configuration.

Incident response efforts show that the earliest exploitation of CVE-2023-20269 vulnerability goes back to March 2023. Adversaries especially targeted public-facing Cisco ASA and FTD devices without multi-factor authentication (MFA) enabled. Since 

MFA is not enforced, attackers were able to brute-force credentials without being rate-limited or blocked. For brute force attacks against Cisco ASA and FTD to work, vulnerable devices must meet the following conditions:

  • At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.

  • SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.

For unauthorized attackers to successfully establish a clientless SSL VPN session, all of the following conditions need to be met:

  • The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.

  • The device is running Cisco ASA Software Release 9.16 or earlier.

  • SSL VPN is enabled on at least one interface.

  • The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.

The timeline and victimology of Akira ransomware suggest that Akira operators were exploiting the CVE-2023-20269 for quite some time. They targeted organizations that implement VPN access using single-factor authentication. If MFA is not enabled or enforced for all users, the threat actors are able to gain initial access. According to Rapid7, they had not observed any successful Akira attacks against organizations that correctly configured MFA.

Cisco has not released a patch for the vulnerability; however, organizations may implement the mitigations below to defend themselves against CVE-2023-20269 attacks.

  • Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
  • Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensuring that all VPN session profiles point to a custom policy.
  • Implement LOCAL user database restrictions by locking specific users to a single profile with the 'group-lock' option, and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero.

Organizations should also enable multi-factor authentication (MFA) as it is vital security control against brute force attacks. If MFA is enabled, adversaries cannot abuse MFA-secured to establish VPN connections.

How Picus Helps Simulate Akira Ransomware Attacks?

We also strongly suggest simulating Akira ransomware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other ransomware attacks, such as Conti, LockBit, and CL0P, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Akira ransomware attacks:

Threat ID

Threat Name

Attack Module

84668

Akira Ransomware Download Threat

Network Infiltration

55812

Akira Ransomware Email Threat

Email Infiltration

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Akira ransomware attacks and related malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Akira ransomware attacks:

Security Control

Signature ID

Signature Name

Check Point NGFW

0D0FC5542

Ransomware.Win32.Akira.TC.a77avEjG

Check Point NGFW

0CEDE557A

Ransomware.Win32.Akira.TC.eec5NsKn

Check Point NGFW

0CFD4BD86

Ransomware.Win32.Akira.TC.a5f8yZDg

Check Point NGFW

0E0BEF9A4

Ransomware.Win32.Akira.TC.0e05wZMS

Check Point NGFW

0A2E01186

Ransomware.Win32.Akira.TC.ea38rili

Cisco FirePower

 

W32.Auto:3c92bf.in03.Talos

Cisco FirePower

 

W32.Auto:7b295a.in03.Talos

Cisco FirePower

 

W32.Auto:1b6af2.in03.Talos

Cisco FirePower

 

W32.Auto:678ec8.in03.Talos

Cisco FirePower

 

W32.Auto:8631ac.in03.Talos

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10143171

Linux/Filecoder_Akira.A!tr

Fortigate AV

10133803

W64/Generik.NFLQ!tr.ransom

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto

581601225

Ransom/Win64.akira.a

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.