(Action required) Patch or Mitigating Cisco ASA now - Cisco VPN to breach network (Akira ransomware gang) - CVE-2023-20269

Background:

Aug 22, 2023 - Akira ransomware targets Cisco VPNs to breach organizations

https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

 

Aug 30, 2023 - Hacking campaign bruteforces Cisco VPNs to breach networks

https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/

 

Sep 8, 2023 - Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/?s=08

https://www.helpnetsecurity.com/2023/09/08/cve-2023-20269/

 

Details:

The vulnerability allows two possible scenarios:

1. an unauthenticated, remote attacker conducting a brute force attack to identify valid username and password combinations for unauthorized remote access VPN sessions,

2. or an authenticated, remote attacker establishing a clientless SSL VPN session with an unauthorized user (only applicable on Cisco ASA Software Release 9.16 or earlier).

https://isp.page/news/unpatched-cisco-asa-flaw-exploited-by-attackers-cve-2023-20269/

 

Cisco has yet to address CVE-2023-20269, waiting for a fix the company recommends:

 

    1. Use dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used.

    2. Deny Remote Access VPN Using the Default Group Policy (DfltGrpPolicy). When the DfltGrpPolicy is not expected to be used for remote access VPN policy assignment, administrators can prevent remote access VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups by setting the vpn-simultaneous-logins option for the DfltGrpPolicy to zero.

    3. Restrict Users in the LOCAL User Database.

    4. Lock Users to a Specific Connection Profile/Tunnel Group Only

    5. Prevent Users from Establishing Remote Access VPN Sessions

https://securityaffairs.com/150516/hacking/cve-2023-20269-cisco-asa-e-ftd.html

 

SOC check log on SIEM:

Login attempts with invalid username/password (%ASA-6-113015)

Example:

%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx

Remote access VPN session creation attempts for unexpected connection profiles/tunnel groups (%ASA-4-113019, %ASA-4-722041, or %ASA-7-734003)

 

Reference:

https://www.govcert.gov.hk/tc/alerts_detail.php?id=1103

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC

https://security.tencent.com/ti/update_detail/jfeC3Y9tU1NazTsSBPoxWIDAE7Gnrhcg

 

(Action required) Patch or Mitigating Cisco ASA now - Cisco VPN to breach network (Akira ransomware gang) - CVE-2023-20269