When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
In a recent security alert, Cisco has raised concerns regarding a zero-day vulnerability, denoted as CVE-2023-20269, which poses a significant threat to its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) systems. Ransomware gangs exploit this alarming security flaw as an entry point to infiltrate corporate networks.
The zero-day vulnerability, rated as medium severity, explicitly targets the VPN feature of Cisco ASA and Cisco FTD. It enables unauthorized remote threat operators to launch brute force attacks against existing accounts, granting them access to a compromised organization’s network. Once inside, these threat operators can establish a clientless SSL VPN session, with the consequences varying depending on the network configuration of the victim organization. This breach can lead to data breaches, network compromise, and ransomware attacks, crippling businesses and causing significant financial losses.
The emergence of this zero-day vulnerability follows reports that several ransomware groups, including Akira and Lockbit, have been repeatedly exploiting Cisco VPN devices to infiltrate corporate networks. Initially, the security community suspected an undisclosed security flaw, prompting speculation about the nature of the threat. Cisco responded by issuing advisories, suggesting that the attacks were primarily the result of brute force attacks on devices lacking Multi-Factor Authentication (MFA) configurations. However, the exact nature of the vulnerability remained unclear. Now, Cisco has confirmed the existence of this zero-day vulnerability that ransomware gangs have utilized to perpetrate their attacks. Although the company has offered workarounds in an interim security bulletin, official security updates for affected products are still pending.
The CVE-2023-20269 vulnerability resides within the web services interface of Cisco ASA and Cisco FTD devices, explicitly affecting the authentication, authorization, and accounting (AAA) functions. The flaw stems from improperly separating AAA functions and other software features, creating opportunities for threat operators to target the authorization components through authentication requests. This vulnerability is particularly dangerous because threat operators can launch brute force attacks with impunity, attempting countless username and password combinations without being restricted or blocked for abuse. To successfully execute brute force attacks using this vulnerability, certain conditions must be met, including at least one user configured with a password in the LOCAL database or HTTPS management authentication pointing to a valid AAA server. SSL VPN or IKEv2 VPN must be enabled on at least one interface.
Cisco has assured users that a security update to address CVE-2023-20269 is in the works. Until these fixes are made available, administrators are advised to take proactive measures to mitigate the threat:
It’s crucial to highlight the importance of multi-factor authentication (MFA) in safeguarding against such threats. Even if account credentials are successfully brute-forced, MFA offers an additional layer of protection, preventing threat operators from breaching accounts and establishing VPN connections. Organizations are strongly urged to prioritize MFA implementation to bolster their network security posture in the face of escalating cyber threats.
At SpearTip, our engineers have the expertise to integrate MFA quickly and seamlessly into your current systems. This enables companies to enhance their security posture immediately. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to their environment and needs. SpearTip can help train users in the new MFA solution for a seamless rollout and ensure companies’ IT team knows how to administer the latest systems and configurations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.