Rewterz Threat Advisory – Multiple F5 Products Vulnerabilities
February 19, 2024Rewterz Threat Alert – Charming Kitten APT Utilizes BASICSTAR Backdoor to Target Middle Eastern Policy Experts – Active IOCs
February 19, 2024Rewterz Threat Advisory – Multiple F5 Products Vulnerabilities
February 19, 2024Rewterz Threat Alert – Charming Kitten APT Utilizes BASICSTAR Backdoor to Target Middle Eastern Policy Experts – Active IOCs
February 19, 2024Severity
High
Analysis Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently made an addition of a now-patched vulnerability that impacts Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog after receiving reports of it being exploited by Akira ransomware gang.
The flaw is tracked as CVE-2020-3259 (CVSS score: 7.5), which is a high-severity issue that causes information disclosure and can allow a threat actor to retrieve memory contents on a compromised system. A patch for the vulnerability was released by Cisco in May 2020. However, a cybersecurity firm uncovered evidence last month that shows the vulnerability being exploited by the Akira ransomware group to infect various suspected Cisco AnyConnect SSL VPN appliances in the previous year. No exploit code is publicly available, which points to the fact that the Akira ransomware actors either had to buy it or made the exploit code themselves, something that requires deep insights and understanding into the vulnerability.
According to researchers, Akira is one of the 25 ransomware groups that had newly established data leak websites in 2023, and the group has publicly claimed about 200 victims since then. The Akira group was first seen in March 2023 and has been attributed to the Conti syndicate due to the ransom payments being routed through Conti-linked wallet addresses. Within just the fourth quarter of 2023, the Akira ransomware gang had listed 49 victims on its data leak website.
CVE-2020-3259 isn’t the only vulnerability that has been exploited to propagate ransomware as earlier this month, it was revealed that a recently discovered flaw in Atlassian Confluence Data Center and Confluence Server was being exploited to deliver C3RB3R ransomware, cryptocurrency miners, and remote access trojans.
The ransomware landscape has become very attractive to threat actors who are financially motivated and has led to the rise of various new gangs, like Alpha and Wing. Organizations, especially the critical ones related to energy, manufacturing, healthcare, and transportation, are recommended to follow best practices for addressing ransomware. It is required for the Federal Civilian Executive Branch (FCEB) agencies to immediately patch the identified vulnerabilities by March 7th, 2024 to make their networks secure against potential threats.
Impact
- Information Disclosure
- Financial Loss
- Data Theft
Indicators of Compromise
CVE
CVE-2020-3259
Affected Vendor
- Cisco
Affected Product
- Cisco Firepower Threat Defense (FTD) Software
- Cisco Adaptive Security Appliance Software
Remediation
- Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.
- Implement Multi-Factor Authentication (MFA) for Cisco VPN accounts.
- Regularly update and patch Cisco VPN software.
- Monitor and analyze VPN login activity for unusual behavior.
- Employ intrusion detection and prevention systems.
- Educate users about phishing and social engineering risks.
- Consider network segmentation and least privilege access controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
- Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.