This week, the U.S. CISA has added a Cisco ASA and FTD bug, tracked as CVE-2020-3259 to its Known Exploited Vulnerabilities catalog.
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The issue was listed by CISA as known to be used in ransomware campaigns, but the agency did not reveal which ransomware groups are actively exploiting the issue.
In January, researchers from cybersecurity firm Truesec reported that the Akira ransomware group exploited the vulnerability in attacks targeting Cisco Cisco ASA and FTD appliances.
An attacker can trigger the vulnerability to extract sensitive data from the memory of the affected devices, including usernames and passwords.
The researchers analyzed eight incidents involving the Akira ransomware and confirmed that the flaw in Cisco Anyconnect SSL VPN was the entry point in at least six of the compromised devices. When the vulnerability was made public in 2020, no known public exploits were available. However, there are now indications that this vulnerability might be actively exploited.
Active since March 2023, the Akira ransomware and the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
CISA orders federal agencies to fix this vulnerability CVE-2020-3259 by March 7, 2024.
