The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a security flaw that affected Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software in its Known Exploited Vulnerabilities (KEV) catalog. The flaw, known as CVE-2020-3259, was patched by Cisco in May 2020 but has reportedly been exploited in Akira ransomware attacks.

CVE-2020-3259 is an information disclosure issue with a high severity rating, receiving a CVSS score of 7.5. The vulnerability allows attackers to retrieve memory contents from affected devices. Cybersecurity firm Truesec found evidence that the flaw has been weaponized by Akira ransomware actors, who have targeted multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

Security researcher Heresh Zaremand highlighted the challenge faced by threat actors in exploiting CVE-2020-3259, as there is no publicly available exploit code. This means that a threat actor would need to either purchase or create their own exploit code, requiring in-depth knowledge of the vulnerability.

Akira is among the 25 groups that have recently established data leak sites, with the ransomware group claiming nearly 200 victims. The group is believed to have connections with the Conti syndicate, as the ransom proceeds were sent to Conti-affiliated wallet addresses. In the fourth quarter of 2023, Akira listed 49 victims on its data leak portal.

Federal Civilian Executive Branch (FCEB) agencies have been directed to remediate identified vulnerabilities by March 7, 2024, in order to secure their networks against potential threats.

CVE-2020-3259 is not the only flaw exploited by ransomware attacks. Recently, a vulnerability known as CVE-2023-22527 in Atlassian Confluence Data Center and Confluence Server was abused to deliver the C3RB3R ransomware, cryptocurrency miners, and remote access trojans. The ransomware-as-a-service (RaaS) scheme, similar to Hive, affected more than 1,000 victims worldwide and generated illicit profits of at least $300 million since late 2021. The operation was disrupted in December 2023 through an international coordinated effort.

In light of these developments, it is crucial for organizations to promptly apply security patches and take necessary measures to protect their networks from these vulnerabilities and potential ransomware attacks.