(Action required) Patch or Mitigating Cisco ASA now - Cisco VPN to breach network (Akira ransomware gang) - CVE-2023-20269



Aug 22, 2023 - Akira ransomware targets Cisco VPNs to breach organizations



Aug 30, 2023 - Hacking campaign bruteforces Cisco VPNs to breach networks



Sep 8, 2023 - Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.





The vulnerability allows two possible scenarios:

1. an unauthenticated, remote attacker conducting a brute force attack to identify valid username and password combinations for unauthorized remote access VPN sessions,

2. or an authenticated, remote attacker establishing a clientless SSL VPN session with an unauthorized user (only applicable on Cisco ASA Software Release 9.16 or earlier).



Cisco has yet to address CVE-2023-20269, waiting for a fix the company recommends:


    1. Use dynamic access policy (DAP) to terminate VPN tunnel establishment when the DefaultADMINGroup or DefaultL2LGroup connection profile/tunnel group is used.

    2. Deny Remote Access VPN Using the Default Group Policy (DfltGrpPolicy). When the DfltGrpPolicy is not expected to be used for remote access VPN policy assignment, administrators can prevent remote access VPN session establishment using the DefaultADMINGroup or DefaultL2LGroup connection profiles/tunnel groups by setting the vpn-simultaneous-logins option for the DfltGrpPolicy to zero.

    3. Restrict Users in the LOCAL User Database.

    4. Lock Users to a Specific Connection Profile/Tunnel Group Only

    5. Prevent Users from Establishing Remote Access VPN Sessions



SOC check log on SIEM:

Login attempts with invalid username/password (%ASA-6-113015)


%ASA-6-113015: AAA user authentication Rejected: reason = reason : local database: user = user: user IP = xxx.xxx.xxx.xxx

Remote access VPN session creation attempts for unexpected connection profiles/tunnel groups (%ASA-4-113019, %ASA-4-722041, or %ASA-7-734003)




Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC



想在手機閱讀更多iPhone App資訊?下載【香港矽谷】Android應用
技術平台: Nasthon Systems