Plug these vulnerabilities in VMware, Cisco products

Administrators of VMware and certain devices from Cisco Systems are being warned to install patches as soon as possible to close serious vulnerabilities.

Multiple vulnerabilities in VMware’s Aria Operations for Networks have been discovered, with patches issued earlier this week.  Meanwhile, researchers at Rapid7 this week issued a detailed report on the vulnerabilities in the physical and virtual versions of Cisco’s ASA SSL VPN appliances being targeted by those deploying the Akira ransomware. This was reported on last week in a Cyber Security Today podcast.

VMware said the most serious problem (CVE-2023-34039) in Aria Operations for Networks is that it contains an authentication bypass vulnerability because of a lack of unique cryptographic key generation. A malicious actor with network access to the application could bypass SSH authentication to gain access to the Aria Operations for Networks interface. It gives the hole a CVSSv3 base score of 9.8.

The second vulnerability (CVE-2023-20890), rated at 7.2, is an arbitrary file write bug. An authenticated malicious actor with administrative access to Aria Operations for Networks can write files to arbitrary locations, resulting in remote code execution.

Rapid7 said its researchers detected increased attempts at getting into Cisco ASA SSL VPN appliances going back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords, the report says. In others, the activity appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users in a group. Several incidents ended in ransomware deployment by the Akira and LockBit groups.

Rapid7 identified at least 11 of its customers who experienced Cisco ASA-related intrusions between March 30 and August 24.

Tip for infosec pros and security awareness trainers: In most of the incidents Rapid7 investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:

  • admin
  • adminadmin
  • backupadmin
  • kali
  • cisco
  • guest
  • accounting
  • developer
  • ftp user
  • training
  • printer
  • echo
  • security
  • inspector
  • test test
  • snmp.

Here’s another interesting nugget from the report: In February, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for US$10,000. When several other forums started leaking information from the guide, Bassterlord also offered to rent access to the guide for as little as US$300 for one month.

Rapid7 obtained a leaked copy of the manual, which includes the claim that the author had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

“It’s possible,” the report says, “that given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs