On 31 August 2023, Arctic Wolf sent out a bulletin alerting customers to an ongoing brute force campaign targeting Cisco Adaptive Security Appliance (ASA). Subsequently, on September 6, 2023, Cisco published a security advisory warning of a zero-day vulnerability (CVE-2023-20269) in the remote access VPN feature of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. This flaw in the improper separation of authentication, authorization, accounting (AAA) allows for brute forcing, which allows the threat actor to attempt unlimited username and password combinations.
This vulnerability can be exploited to perform one or both of the following:
- An unauthenticated remote threat actor to conduct brute force attacks against the credentials of existing accounts to establish an unauthorised remote access VPN session.
- An authenticated remote threat actor to establish clientless SSL VPN sessions (only when running Cisco ASA Software Release 9.16 or earlier)
Cisco confirmed in their advisory that they were aware of this vulnerability being exploited by Akira ransomware threat actors to target Cisco VPNs that were not configured for multi-factor authentication. These VPNs make an attractive target for ransomware threat actors due to the level of access they can achieve on a network once compromised.
Recommendations for CVE-2023-20269
Recommendation #1: Apply Workarounds Provided by Cisco
Cisco has not yet released software updates that addresses this vulnerability. However, until fixes are available, Arctic Wolf strongly recommends following the workarounds provided by Cisco in order to limit the impact of brute force attacks and to protect against unauthorised clientless SSL VPN session establishment. See section “Workarounds” in Cisco’s security advisory for more details.
Please follow your organisation’s patching and testing guidelines to avoid operational impact.
Recommendation #2: Enable Multi-Factor Authentication for all VPN accounts on your Cisco Appliance
If you use Cisco VPNs in your environment, Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases.
In all intrusions investigated by Arctic Wolf where initial access was obtained through Cisco VPN credentials to deploy Akira ransomware, multi-factor authentication was not enabled.
Please note that enabling MFA may have operational considerations in your environment.