Akira Ransomware exploits Cisco ASA/FTD vulnerability

Akira Ransomware exploits Cisco ASA/FTD vulnerability

The American Cybersecurity and Infrastructure Security Agency (CISA) announced this on Thursday added a now patched security issue affecting the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software and known exploited vulnerabilities (KEV) catalog, following reports that it is likely to be exploited in Akira ransomware attacks.

The vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), a very serious information disclosure issue that could allow an attacker to retrieve the memory contents on an affected device. It was patched by Cisco as part of updates released in May 2020.

Late last month, cybersecurity firm Truesec said it had found evidence indicating it had been weaponized by Akira ransomware actors over the past year to compromise multiple sensitive Cisco Anyconnect SSL VPN devices.


“There is no publicly available exploit code for it […] CVE-2020-3259, which means a threat actor, like Akira, exploiting this vulnerability would need to purchase or produce exploit code themselves, which requires deep insights into the vulnerability,” said security researcher Heresh Zaremand. said.

According to Palo Alto Networks Unit 42, Akira is one of 25 groups with newly established data breach sites in 2023, with the ransomware group publicly claiming nearly 200 victims. The group was probably first sighted in March 2023 share connections with the infamous Conti Syndicate on the basis that it sent the ransom proceeds to Conti-affiliated wallet addresses.

In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data breach portalputting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75) and Black Basta (72).

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks from potential threats.

CVE-2020-3259 is far from the only flaw that can be exploited to deliver ransomware. Earlier this month, Arctic Wolf Labs revealed the exploitation of CVE-2023-22527 – a recently discovered flaw in the Atlassian Confluence Data Center and Confluence Server – to deploy C3RB3R ransomware, as well as cryptocurrency miners and remote access Trojans.

The development comes as the US State Department announced rewards of up to $10 million for information leading to the identification or location of key members of the BlackCat ransomware gang, in addition to offering up to $5 million for information leading to the arrest or conviction of its affiliates.


The ransomware-as-a-service (RaaS) program, like Hive, has affected more than 1,000 victims worldwide and generated at least $300 million in illicit profits since emerging in late 2021. It was disrupted in December 2023 following an internationally coordinated operation.

The ransomware landscape has become a lucrative market, attracting the attention of cybercriminals looking for quick financial gain, leading to the emergence of new players such as Alpha (not to be confused with ALPHV) and Wing.

The US Government Accountability Office (GAO) has… report published at the end of January 2024, called for better supervision of recommended practices to tackle ransomware, especially for organizations in the critical manufacturing, energy, healthcare and public health, and transportation systems sectors.

#Akira #Ransomware #exploits #Cisco #ASAFTD #vulnerability

Notify of
Inline Feedbacks
View all comments
Previous Post
AI-Powered File Identification Tool

Google Open Sources Magika: AI-powered file identification tool

Next Post
Cryptocurrency Firms

RustDoor macOS Backdoor targets cryptocurrency companies with fake job postings

Related Posts