Denmark’s CFCS Raises Alarm on Ransomware Exploiting Cisco VPN Flaw CVE-2023-20269

CVE-2023-20269 exploit

The Danish Centre for Cyber Security (CFCS) is warning of increased ransomware activity, exploiting CVE-2023-20269, a vulnerability that affects the VPN feature in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products.

The Center for Cybersecurity (CFCS) has recently observed that ransomware perpetrators are actively exploiting a Cisco vulnerability (CVE-2023-20269) in their assaults, including within Denmark. The CFCS recommends adhering to Cisco’s guidance for updates, particularly emphasizing the use of robust passwords and multi-factor authentication (MFA),reads the alert (translated).

CVE-2023-20269 exploit

The CVE-2023-20269 bug lies within the remote access VPN feature of Cisco’s renowned ASA and FTD software. With a CVSS score of 5.0, it might seem like a middling threat. This flaw provides a dual-threat avenue:

  1. It allows unsolicited attackers to wage a brute-force assault to uncover valid username-password combos.
  2. Permits these attackers to set up a clientless SSL VPN session with an unauthorized user.

Recognized as a zero-day threat by Cisco in September 2023, remedies were swiftly charted out the following month. Yet, the threat loomed large as early as August 2023, with the Akira ransomware exploiting this weakness to gain unauthorized access. Upon breaching the network, it embarks on a reconnaissance mission, mapping the network’s contours, and targeting backups and critical servers. It prowls the digital halls of Windows servers, pilfering usernames and passwords, encrypting vital files, and laying siege to the disks of virtual machines, particularly those nestled within VMware products.

In response to this escalating threat, the CFCS’s message is unequivocal: organizations must upgrade to Cisco ASA 9.16.2.11 or later and Cisco FTD 6.6.7 or later.