The PacketWatch Intelligence Team
Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights Cisco devices being targeted by ransomware gangs, a critical authentication bypass flaw for Cisco Broadworks, and a new zero-click, zero-day exploit found for iPhones.
Cisco Devices Actively Targeted by Ransomware Gangs
Over the last several weeks, there have been multiple reports of ransomware gangs such as Akira and Lockbit infiltrating corporate networks via Cisco VPN devices. However, although it was known which devices were used as the initial entry point, it was unclear exactly how these threat actors exploited the devices to get their initial foothold. This week, Cisco disclosed the existence of a zero-day vulnerability that was used by these ransomware gangs and has provided workarounds to mitigate the attack.
What devices are affected?
CVE-2023-20269
The vulnerability, CVE-2023-20269, is a flaw in the web services interface of the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) devices.
Abuse of this vulnerability allows the attacker to send authentication requests to the web services interface without limitation, effectively allowing the attacker to brute force credentials and gain access to the system.
It should be noted that several conditions need to be met for the vulnerability to be present:
- At least one user is configured with a password in the LOCAL database or HTTPS management authentication points to a valid AAA (authentication, authorization, and accounting) server.
- SSL VPN is enabled on at least one interface or IKEv2 VPN is enabled on at least one interface.
- Device must be running Cisco ASA Software Release 9.16 or earlier.
If these conditions are met, and the attacker can successfully guess the correct username and password combination, they can establish a clientless SSL VPN connection.
In addition to the above conditions being required for the attack to occur, to establish the clientless SSL VPN connection, the clientless SSL VPN protocol must be allowed in the DfltGrpPolicy.
How can you protect your organization?
At the time of this writing, there is not a patch for this vulnerability. Instead, Cisco has released a set of steps that can be taken to mitigate the attack:
- Use Dynamic Access Policies (DAP) to prohibit VPN tunnels with DefaultADMINGroup or DefaultL2LGroup.
- Deny access with Default Group Policy by adjusting vpn-simultaneous-logins for DfltGrpPolicy to zero and ensuring that all VPN session profiles point to a custom policy.
- Implement LOCAL user database restrictions by locking specific users to a single profile with the 'group-lock' option and prevent VPN setups by setting 'vpn-simultaneous-logins' to zero.
Arguably, the most crucial mitigating factor is the use of multi-factor authentication (MFA). Even if the threat actor can successfully brute-force account credentials, the extra authentication step would prevent the attacker from successfully authenticating.
Additionally, Cisco added a recommendation for catching attempted attacks.
To do this, secure the Default Remote Access VPN profiles by pointing all non-default profiles to a sinkhole AAA (dummy LDAP) server and enable logging. These logs will show the brute-force login attempts and allow administrators to act accordingly.
Additional Resources
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC
- https://www.bleepingcomputer.com/news/security/cisco-warns-of-vpn-zero-day-exploited-by-ransomware-gangs/
- https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/
- https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication
- https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/
Authentication Bypass in Cisco BroadWorks
CVE-2023-20238
A critical authentication bypass flaw, CVE-2023-20238, was disclosed for the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform.
Successful exploitation of this flaw can allow attackers to execute commands, access confidential data, alter user settings, and more.
Additionally, one of the following apps must be active on the platform in order to be vulnerable:
|
AuthenticationService |
BWCallCenter |
BWReceptionist |
CustomMediafilesRetrieval |
|
ModeratorClientApp |
PublicECLQuery |
PublicReporting |
UCAPI |
|
Xsi-Actions |
Xsi-Events |
Xsi-MMTel |
Xsi-VTR |
A final prerequisite for successful exploitation of this vulnerability is the attacker must have a valid user ID linked to the targeted Cisco BroadWorks system.
There are no reports of this vulnerability being exploited in the wild, but users are strongly urged to update to version AP.platform.23.0.1075.ap385341 as soon as possible.
It should be noted that this vulnerability impacts version 22.0, but Cisco will not be releasing a security update for that version, and users are strongly encouraged to upgrade to the version 23.0 branch and apply the security update.
Additional Resources
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-auth-bypass-kCggMWhX
- https://www.bleepingcomputer.com/news/security/cisco-broadworks-impacted-by-critical-authentication-bypass-flaw/
New Zero-Click Zero-Day Exploit Found for iPhone, BlastPass
CVE-2023-41064 and CVE-2023-41061
Security researchers at Citizen Lab have identified a new iOS vulnerability that was being leveraged in the wild to deploy the NSO Group's Pegasus spyware on iPhones. The two CVEs related to the exploit chain are CVE-2023-41064 and CVE-2023-41061. To exploit these vulnerabilities, the attacker sends an attachment via iMessage to the victim containing a malicious PassKit attachment. No interaction was required by the user for the exploit to be successful. The vulnerabilities affect:
- iPhone 8 and newer
- All models of iPad Pro, iPad Air Gen 3+, iPad Gen 5+, iPad mini Gen 5+
- Macs running macOS Ventura
- Apple Watch Series 4 and later
Users are strongly advised to install the latest security updates for each device: macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. It should also be noted that placing devices in Lockdown Mode will successfully block this attack.
Additional Resources
- https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
- https://www.bleepingcomputer.com/news/apple/apple-discloses-2-new-zero-days-exploited-to-attack-iphones-macs/
- https://support.apple.com/en-ca/HT212650
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.