Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations’ systems.
In eight of security company TrueSec’s most recent incident response engagements that involved Akira and Cisco’s AnyConnect SSL VPN as the entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords – à la CitrixBleed.
