The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
In August 2023, Akira ransomware was observed to abuse Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products to target many organizations with ransomware attacks. CVE-2023-20269 is a zero-day vulnerability that allows unauthenticated remote attackers to brute force credentials to gain access to vulnerable networks. Adversaries may also exploit this vulnerability to establish a clientless SSL VPN session. Cisco has not released any patch for the CVE-2023-20269 vulnerability yet; however, organizations can apply workarounds to mitigate the vulnerability.
In this blog, we explained how the Akira ransomware group exploited the Cisco CVE-2023-20269 vulnerability and how organizations can mitigate the vulnerability.
Akira Ransomware
Akira ransomware was first observed in March 2023 and compromised more than 60 organizations worldwide. The ransomware group is financially motivated and targets mostly small to medium-sized businesses. Similar to other infamous ransomware groups, Akira employs common business models such as Ransomware-as-a-Service and double extortion. Based on their victims and negotiation tactics, the ransomware threat actors appear to be opportunistic attackers that target organizations that did not enable MFA on VPN appliances.
Akira ransomware operators predominantly use compromised credentials to gain initial access to their target's network. Adversaries obtain these credentials through brute force attacks or Initial Access Brokers (IABs) on the dark web. After initial access, threat actors transfer tools and malware for reconnaissance, credential dumping, data exfiltration, and lateral movement.
MITRE ATT&CK Tactic |
Tools used by Akira Ransomware Operators |
Discovery |
AdFind |
Advanced IP Scanner |
|
MASSCAN |
|
PCHunter |
|
SharpHound |
|
Credential Access |
LaZagne |
Mimikatz |
|
Command and Control (C2) |
AnyDesk |
Cloudflare Tunnel |
|
MobaXterm |
|
ngrok |
|
Radmin |
|
Exfiltration |
FileZilla |
rclone |
|
WinSCP |
|
WinRAR |
|
Impact |
PsExec |
For the final impact, Akira ransomware deletes Volume Shadow copies via WMI and encrypts their victims' files with the ChaCha algorithm. The secret key used in file encryption is generated using CryptGenRandom API and encrypted with the adversary's RSA public key after the encryption is completed. Akira ransomware is very similar to the infamous Conti ransomware in many aspects. They use the same functions, utilize the same encryption algorithm, and encrypt the same file types. It is assumed that Akira used Conti's leaked source code to develop their own. In June 2023, Avast released a decryptor for Akira ransomware. However, threat actors later modified their encryption routine after the release of the decryptor.
Cisco CVE-2023-20269 Zero-Day Vulnerability
In their advisory, Cisco PSIRT disclosed that the VPN feature of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products have a medium severity zero-day vulnerability. The vulnerability allows unauthorized remote adversaries to conduct brute-force attacks against existing accounts. After compromising credentials, attackers can establish a clientless SSL VPN session in the victims' network. CVE-2023-20269 has a CVSS score of 5.0 (Medium); however, it may cause significant damage to organizations depending on their network configuration.
Incident response efforts show that the earliest exploitation of CVE-2023-20269 vulnerability goes back to March 2023. Adversaries especially targeted public-facing Cisco ASA and FTD devices without multi-factor authentication (MFA) enabled. Since
MFA is not enforced, attackers were able to brute-force credentials without being rate-limited or blocked. For brute force attacks against Cisco ASA and FTD to work, vulnerable devices must meet the following conditions:
-
At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA server.
-
SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.
For unauthorized attackers to successfully establish a clientless SSL VPN session, all of the following conditions need to be met:
-
The attacker has valid credentials for a user present either in the LOCAL database or in the AAA server used for HTTPS management authentication. These credentials could be obtained using brute force attack techniques.
-
The device is running Cisco ASA Software Release 9.16 or earlier.
-
SSL VPN is enabled on at least one interface.
-
The clientless SSL VPN protocol is allowed in the DfltGrpPolicy.
The timeline and victimology of Akira ransomware suggest that Akira operators were exploiting the CVE-2023-20269 for quite some time. They targeted organizations that implement VPN access using single-factor authentication. If MFA is not enabled or enforced for all users, the threat actors are able to gain initial access. According to Rapid7, they had not observed any successful Akira attacks against organizations that correctly configured MFA.
Cisco has not released a patch for the vulnerability; however, organizations may implement the mitigations below to defend themselves against CVE-2023-20269 attacks.
- Use DAP (Dynamic Access Policies) to stop VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
- Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero, and ensuring that all VPN session profiles point to a custom policy.
- Implement LOCAL user database restrictions by locking specific users to a single profile with the 'group-lock' option, and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero.
Organizations should also enable multi-factor authentication (MFA) as it is vital security control against brute force attacks. If MFA is enabled, adversaries cannot abuse MFA-secured to establish VPN connections.
How Picus Helps Simulate Akira Ransomware Attacks?
We also strongly suggest simulating Akira ransomware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other ransomware attacks, such as Conti, LockBit, and CL0P, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Akira ransomware attacks:
Threat ID |
Threat Name |
Attack Module |
84668 |
Akira Ransomware Download Threat |
Network Infiltration |
55812 |
Akira Ransomware Email Threat |
Email Infiltration |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Akira ransomware attacks and related malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Akira ransomware attacks:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0D0FC5542 |
Ransomware.Win32.Akira.TC.a77avEjG |
Check Point NGFW |
0CEDE557A |
Ransomware.Win32.Akira.TC.eec5NsKn |
Check Point NGFW |
0CFD4BD86 |
Ransomware.Win32.Akira.TC.a5f8yZDg |
Check Point NGFW |
0E0BEF9A4 |
Ransomware.Win32.Akira.TC.0e05wZMS |
Check Point NGFW |
0A2E01186 |
Ransomware.Win32.Akira.TC.ea38rili |
Cisco FirePower |
W32.Auto:3c92bf.in03.Talos |
|
Cisco FirePower |
W32.Auto:7b295a.in03.Talos |
|
Cisco FirePower |
W32.Auto:1b6af2.in03.Talos |
|
Cisco FirePower |
W32.Auto:678ec8.in03.Talos |
|
Cisco FirePower |
W32.Auto:8631ac.in03.Talos |
|
Forcepoint NGFW |
|
File_Malware-Blocked |
Fortigate AV |
10143171 |
Linux/Filecoder_Akira.A!tr |
Fortigate AV |
10133803 |
W64/Generik.NFLQ!tr.ransom |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Palo Alto |
581601225 |
Ransom/Win64.akira.a |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.