On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included a recently patched security vulnerability affecting Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software in its Known Exploited Vulnerabilities (KEV) catalog. This update comes in response to indications that the flaw is being actively exploited in attacks involving Akira ransomware.
The vulnerability, identified as CVE-2020-3259, has a CVSS score of 7.5, categorizing it as a high-severity information disclosure issue. Exploiting this flaw could enable attackers to access and retrieve sensitive memory contents from affected devices. Cisco had addressed this vulnerability in updates released back in May 2020.
Reports from cybersecurity firm Truesec indicate that Akira ransomware operators have been leveraging this particular vulnerability to compromise several vulnerable Cisco Anyconnect SSL VPN appliances over the previous year. The absence of publicly available exploit code for CVE-2020-3259 suggests that attackers must either develop or purchase this code, requiring specialized knowledge of the vulnerability itself, as noted by researcher Heresh Zaremand.
According to Palo Alto Networks’ Unit 42, the Akira ransomware group is among 25 new groups that have launched data leak sites in 2023, claiming nearly 200 victim organizations. First detected in March 2023, Akira is considered to have ties to the notorious Conti ransomware syndicate, as ransom payments have reportedly been funneled into wallets associated with that group.
During the fourth quarter of 2023, Akira documented 49 victims on its data leak portal, ranking significantly behind other prominent groups such as LockBit and Play. This activity highlights the ongoing threat posed by ransomware, as federal agencies, particularly the Federal Civilian Executive Branch (FCEB), are mandated to address identified vulnerabilities by March 7, 2024, to safeguard their networks from such threats.
In addition to CVE-2020-3259, ransomware actors are exploiting various other vulnerabilities. A recent report from Arctic Wolf Labs pointed to the exploitation of CVE-2023-22527, a critical vulnerability in Atlassian Confluence products, as a vehicle for deploying C3RB3R ransomware, among other malicious tools. This demonstrates the evolving landscape of cyber threats that businesses must navigate.
At the same time, the U.S. State Department has announced rewards of up to $10 million for information leading to the identification of key members of the BlackCat ransomware group, alongside incentives for details that may lead to the arrest of its affiliates. This highlights the government’s commitment to combating ransomware threats.
As the ransomware landscape becomes increasingly hazardous, new players like Alpha and Wing are emerging, seeking rapid financial gains. There are implications that Alpha could be linked to NetWalker, another sinister group that was shut down in early 2021 following an international law enforcement operation. Such connections raise concerns about potential revivals of old ransomware methodologies.
In light of these developments, the U.S. Government Accountability Office has emphasized the need for better oversight regarding recommended practices for addressing ransomware threats, particularly for critical sectors like healthcare and transportation.
As businesses continue to face escalating cybersecurity risks, familiarity with the MITRE ATT&CK framework—particularly tactics such as initial access, persistence, and privilege escalation—becomes essential in mitigating potential vulnerabilities and defending against future attacks.
