Following reports that it’s likely being exploited in Akira ransomware attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a now-patched security flaw affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) software to its list of known exploited vulnerabilities (KEV) on Thursday.
The high-severity information disclosure flaw in question is CVE-2020-3259 (CVSS score: 7.5), which might enable an attacker to access memory contents on a compromised device. Cisco corrected it as part of upgrades that were made available in May 2020.
The cybersecurity company Truesec reported late last month that it had discovered evidence indicating that Akira ransomware attackers had used it as a weapon to compromise several vulnerable Cisco Anyconnect SSL VPN appliances throughout the previous year.
“There is no publicly available exploit code for […] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” stated Heresh Zaremand, a security researcher.
Palo Alto Networks Unit 42 reports that Akira is one of the 25 groups that have recently created data leak sites in 2023. The ransomware group has made approximately 200 victims public. The organisation was first noticed in March 2023, and based on the fact that the ransom money was sent to wallet accounts connected to the infamous Conti syndicate, it is assumed that they are related.
The e-crime outfit identified 49 victims on their data leak webpage in just the fourth quarter of 2023, trailing only LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72).
Agencies within the Federal Civilian Executive Branch (FCEB) must fix vulnerabilities found by March 7, 2024, in order to protect their networks from possible attacks.
By no means is CVE-2020-3259 the sole vulnerability that can be used to spread ransomware. The misuse of CVE-2023-22527, a recently discovered vulnerability in Atlassian Confluence Data Centre and Confluence Server, to distribute C3RB3R ransomware, bitcoin miners, and remote access trojans was made public earlier this month by Arctic Wolf Labs.
This development coincides with the U.S. State Department’s announcement that it will pay up to $10 million in rewards for information that could help locate or identify key members of the BlackCat ransomware gang. Additionally, it will pay up to $5 million for information that leads to the arrest or conviction of the group’s affiliates.
Similar to Hive, the ransomware-as-a-service (RaaS) scheme affected over 1,000 victims worldwide and generated at least $300 million in illegal revenues since it first surfaced in late 2021. It was interfered with in December 2023 as a result of a global concerted operation.
The market for ransomware has grown to be quite profitable, drawing the interest of cybercriminals seeking to make quick money. As a result, new companies like Wing and Alpha—which should not be confused with ALPHV—have emerged.
There are hints that Alpha may have something to do with NetWalker, which was shut down in January 2021 as a result of a global law enforcement effort. The relationships relate to source code overlaps and attack tactics, methods, and procedures (TTPs).
“Alpha may be an attempt at reviving the old ransomware operation by one or more of the original NetWalker developers,” Symantec, which owns Broadcom, stated. “Alternatively, the attackers behind Alpha may have acquired and modified the original NetWalker payload in order to launch their own ransomware operation.”
In a report released at the end of January 2024, the U.S. Government Accountability Office (GAO) demanded more oversight of suggested procedures for dealing with ransomware, particularly for institutions from the vital manufacturing, energy, healthcare and public health, and transportation systems sectors.