When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Warning Issued About Zero-Day Vulnerability Used by Ransomware Groups
Chris Swagler | October 26th, 2023
In a recent security alert, Cisco has raised concerns regarding a zero-day vulnerability, denoted as CVE-2023-20269, which poses a significant threat to its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) systems. Ransomware gangs exploit this alarming security flaw as an entry point to infiltrate corporate networks.
The zero-day vulnerability, rated as medium severity, explicitly targets the VPN feature of Cisco ASA and Cisco FTD. It enables unauthorized remote threat operators to launch brute force attacks against existing accounts, granting them access to a compromised organization’s network. Once inside, these threat operators can establish a clientless SSL VPN session, with the consequences varying depending on the network configuration of the victim organization. This breach can lead to data breaches, network compromise, and ransomware attacks, crippling businesses and causing significant financial losses.
A Growing Menace from the Zero-Day Vulnerability
The emergence of this zero-day vulnerability follows reports that several ransomware groups, including Akira and Lockbit, have been repeatedly exploiting Cisco VPN devices to infiltrate corporate networks. Initially, the security community suspected an undisclosed security flaw, prompting speculation about the nature of the threat. Cisco responded by issuing advisories, suggesting that the attacks were primarily the result of brute force attacks on devices lacking Multi-Factor Authentication (MFA) configurations. However, the exact nature of the vulnerability remained unclear. Now, Cisco has confirmed the existence of this zero-day vulnerability that ransomware gangs have utilized to perpetrate their attacks. Although the company has offered workarounds in an interim security bulletin, official security updates for affected products are still pending.
Zeroing In on the Zero-Day Vulnerability
The CVE-2023-20269 vulnerability resides within the web services interface of Cisco ASA and Cisco FTD devices, explicitly affecting the authentication, authorization, and accounting (AAA) functions. The flaw stems from improperly separating AAA functions and other software features, creating opportunities for threat operators to target the authorization components through authentication requests. This vulnerability is particularly dangerous because threat operators can launch brute force attacks with impunity, attempting countless username and password combinations without being restricted or blocked for abuse. To successfully execute brute force attacks using this vulnerability, certain conditions must be met, including at least one user configured with a password in the LOCAL database or HTTPS management authentication pointing to a valid AAA server. SSL VPN or IKEv2 VPN must be enabled on at least one interface.
Mitigating the Risk
Cisco has assured users that a security update to address CVE-2023-20269 is in the works. Until these fixes are made available, administrators are advised to take proactive measures to mitigate the threat:
Implement Dynamic Access Policies (DAP) to halt VPN tunnels associated with DefaultADMINGroup or DefaultL2LGroup.
Deny access by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero and ensuring that all VPN session profiles reference a custom policy.
Apply LOCAL user database restrictions by restricting specific users to a single profile using the ‘group-lock’ option and preventing VPN setups by setting ‘vpn-simultaneous-logins’ to zero.
Enhance security by configuring Default Remote Access VPN profiles to redirect non-default profiles to a sinkhole AAA server (dummy LDAP server) and enabling logging to detect potential attack incidents early.
It’s crucial to highlight the importance of multi-factor authentication (MFA) in safeguarding against such threats. Even if account credentials are successfully brute-forced, MFA offers an additional layer of protection, preventing threat operators from breaching accounts and establishing VPN connections. Organizations are strongly urged to prioritize MFA implementation to bolster their network security posture in the face of escalating cyber threats.
At SpearTip, our engineers have the expertise to integrate MFA quickly and seamlessly into your current systems. This enables companies to enhance their security posture immediately. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to their environment and needs. SpearTip can help train users in the new MFA solution for a seamless rollout and ensure companies’ IT team knows how to administer the latest systems and configurations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
