Plug these vulnerabilities in VMware, Cisco products

Share post:

Administrators of VMware and certain devices from Cisco Systems are being warned to install patches as soon as possible to close serious vulnerabilities.

Multiple vulnerabilities in VMware’s Aria Operations for Networks have been discovered, with patches issued earlier this week.  Meanwhile, researchers at Rapid7 this week issued a detailed report on the vulnerabilities in the physical and virtual versions of Cisco’s ASA SSL VPN appliances being targeted by those deploying the Akira ransomware. This was reported on last week in a Cyber Security Today podcast.

VMware said the most serious problem (CVE-2023-34039) in Aria Operations for Networks is that it contains an authentication bypass vulnerability because of a lack of unique cryptographic key generation. A malicious actor with network access to the application could bypass SSH authentication to gain access to the Aria Operations for Networks interface. It gives the hole a CVSSv3 base score of 9.8.

The second vulnerability (CVE-2023-20890), rated at 7.2, is an arbitrary file write bug. An authenticated malicious actor with administrative access to Aria Operations for Networks can write files to arbitrary locations, resulting in remote code execution.

Rapid7 said its researchers detected increased attempts at getting into Cisco ASA SSL VPN appliances going back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords, the report says. In others, the activity appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users in a group. Several incidents ended in ransomware deployment by the Akira and LockBit groups.

Rapid7 identified at least 11 of its customers who experienced Cisco ASA-related intrusions between March 30 and August 24.

Tip for infosec pros and security awareness trainers: In most of the incidents Rapid7 investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:

  • admin
  • adminadmin
  • backupadmin
  • kali
  • cisco
  • guest
  • accounting
  • developer
  • ftp user
  • training
  • printer
  • echo
  • security
  • inspector
  • test test
  • snmp.

Here’s another interesting nugget from the report: In February, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for US$10,000. When several other forums started leaking information from the guide, Bassterlord also offered to rent access to the guide for as little as US$300 for one month.

Rapid7 obtained a leaked copy of the manual, which includes the claim that the author had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test.

“It’s possible,” the report says, “that given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.”

The post Plug these vulnerabilities in VMware, Cisco products first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Anthropic Warns: AI “Virtual Employees” Could Pose Security Risks Within a Year

Anthropic, a leading artificial intelligence company, anticipates that AI-powered virtual employees could begin operating within corporate networks as...

Hertz Data Breach Exposes Customer Information via Supply Chain Hack

Hertz has disclosed a data breach resulting from a cyberattack on its vendor, Cleo Communications, which compromised sensitive...

Google’s New Security Feature – Automatic Reboot

Google is introducing a new security feature in its latest Android update that will automatically reboot phones and...

Cybersecurity Firm Prodaft Buys Hacker Forum Accounts to Monitor Cybercriminal Activity

Swiss cybersecurity company Prodaft has initiated a program to purchase verified and aged accounts on hacking forums, aiming...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways