Cisco on Thursday confirmed the existence of a currently unpatched zero-day vulnerability that hackers are exploiting to gain unauthorized access to two widely used security appliances it sells.
The vulnerability resides in Cisco’s Adaptive Security Appliance Software and its Firepower Threat Defense, which are typically abbreviated as ASA and FTD. Cisco and researchers have known since last week that a ransomware crime syndicate called Akira was gaining access to devices through password spraying and brute-forcing. Password spraying, also known as credential stuffing, involves trying a handful of commonly used passwords for a large number of usernames in an attempt to prevent detection and subsequent lockouts. In brute-force attacks, hackers use a much larger corpus of password guesses against a more limited number of usernames.
Ongoing attacks since (at least) March
“An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials,” Cisco officials wrote in an advisory. “A successful exploit could allow the attacker to achieve one or both of the following: