Ransomware fiends pounce on Cisco VPN brute-force zero-day flaw

Heads up: ransomware slingers are exploiting a Cisco zero-day weakness in some of its VPN products. The networking giant has issued an interim workaround to address the oversight as it works on a full patch.

The medium-severity flaw, tracked as CVE-2023-20269, exists in the remote access VPN feature of Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software stacks. 

Essentially, it turns out there's nothing really stopping attackers from brute-forcing their way into a vulnerable device, running through all possible or likely username-password combinations. If you have multi-factor authentication configured, and are using strong login credentials, you should be fine.

Cisco said it's all due to improper separation of authentication, authorization, and accounting between the remote VPN feature, the HTTPS management, and site-to-site VPN features.

As the manufacturer noted: "This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured."

As basic as that is, it doesn't appear to be deterring cybercriminals who, according to Cisco, have been attempting to exploit this vulnerability in the wild since August.

The software may "allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations," the IT giant noted, "or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user."

Akira, LockBit behind exploits

"Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime," its security advisory reads. It also directs customers to an earlier write-up about the Akira ransomware gang targeting Cisco VPNs that are not configured for MFA and vulnerable to brute-force logins.

Rapid7 reported the exploitation attempts to Cisco, and has been working with the IT giant to address the issue. In an August 29 post updated on Thursday, that security firm said it spotted "at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023."

These break-ins resulted in ransomware infections in companies of all sizes by Akira and LockBit. Rapid7 also noted the victims spanned healthcare, professional services, manufacturing, oil and gas, and other industries.

• There's a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack
• Cisco's Duo Security suffers major authentication outage
• Apple races to patch the latest zero-day iPhone exploit
• US, UK sanction more Russians linked to Trickbot

"Rapid7 has not observed any bypasses or evasion of correctly configured MFA," the security researchers added.

According to the September 7 update: "CVE-2023-20269 is being exploited in the wild and is related to some of the behavior Rapid7 has observed and outlined in this blog."

Considering that Cisco has pointed to ransomware crews attacking VPNs that don't use MFA, and Rapid7 has said that criminals haven't been able to break into accounts that use two-factor authentication, we highly recommend implementing MFA as your first line of defense. And if your Cisco VPNs already use MFA, make sure it's configured properly.

Interim workarounds

Until Cisco develops a complete patch for the ASA and FTD software, it recommends admins implement a series of workarounds to protect against attacks. 

For the clientless SSL VPN situation, this includes configuring a dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used. 

Also, if you're not using the Default Group Policy (DfltGrpPolicy) for remote VPN access, and if you're not it's expecting users in the LOCAL user database are to establish remote access VPN tunnels, it's a good idea set the vpn-simultaneous-logins option to zero. Cisco provides instructions on how to do this in both scenarios.

Make sure to enable logging to ensure that you catch brute-force attempts before they result in a successful intrusion.

"The absence of detailed logs leaves gaps in understanding, hindering a clear analysis of the attack method," the alert says. "Cisco recommends enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices." ®