The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog. , following reports that it was likely exploited in Akira ransomware attacks.
The vulnerability in question is CVE-2020-3259 (CVSS Score: 7.5), a high-severity information disclosure issue that could allow an attacker to recover the contents of memory on an affected device. It was fixed by Cisco as part of the updates released in May 2020.
Late last month, cybersecurity firm Truesec said it had found evidence suggesting it was weaponized by the authors of the Akira ransomware to compromise several sensitive Cisco Anyconnect SSL VPN devices over the past year.
“There is no publicly available exploit code for […] CVE-2020-3259, which means that a threat actor, such as Akira, exploiting that vulnerability would have to purchase or produce the exploit code themselves, which requires in-depth knowledge of the vulnerability,” said security researcher Heresh Zaremand.
According to Palo Alto Networks Unit 42, Akira is one of 25 groups with newly created data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. First observed in March 2023, the group is believed to share links with the infamous Conti syndicate as it sent ransom proceeds to wallet addresses affiliated with Conti.
In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75 ) and Basta Nero (72).
Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to protect their networks from potential threats.
CVE-2020-3259 is not the only flaw that can be exploited to spread ransomware. Earlier this month, Arctic Wolf Labs disclosed the abuse of CVE-2023-22527 – a recently discovered flaw in the Atlassian Confluence Data Center and Confluence Server – to deploy the C3RB3R ransomware, as well as cryptocurrency miners and access Trojans remote.
The development comes as the US State Department announced rewards of up to $10 million for information that could lead to the identification or location of key members of the BlackCat ransomware gang, as well as offering up to $5 million for information that lead to the arrest or conviction of its affiliates.
The ransomware-as-a-service (RaaS) scheme, much like Hive, has compromised over 1,000 victims globally, netting at least $300 million in illicit profits since its emergence in late 2021. It was shut down in December 2023 in following an internationally coordinated operation.
The ransomware landscape has become a lucrative market, attracting the attention of cybercriminals looking for quick financial gains, leading to the rise of new players such as Alpha (not to be confused with ALPHV) and Wing.
The U.S. Government Accountability Office (GAO), in a report released in late January 2024, called for greater oversight of recommended practices for addressing ransomware, particularly for organizations in critical manufacturing, energy, health and public health and transportation systems.