On August 31, 2023, Arctic Wolf sent out a bulletin alerting customers to an ongoing brute force campaign targeting Cisco Adaptive Security Appliance (ASA). Subsequently, on September 6, 2023, Cisco published a security advisory warning of a zero-day vulnerability (CVE-2023-20269) in the remote access VPN feature of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software.

There was some good news on the cybersecurity front in August, starting with a joint effort by U.S. and European authorities that broke up a far-reaching network of compromised computers used in attacks on healthcare organizations around the world. The takedown also netted more than $8 million in illicit cryptocurrency from Russian-affiliated hacking groups.

The value of cybersecurity solutions is uniquely difficult to quantify. As with any risk-reduction investment, the ideal outcome is we simply avoid the outcome we’re defending against. But then how can we understand the value of our security strategy? Even if we can identify attempted compromises that are thwarted, it’s still challenging to scope out the potential impacts we were able to avert.

On Tuesday, August 29, 2023, VMware disclosed a critical authentication bypass vulnerability (CVE-2023-34039) in VMware Aria Operations for Networks–formerly known as vRealize Network Insight–that could result in a threat actor gaining access to the Aria Operations for Networks CLI by bypassing SSH authentication. The vulnerability was responsibly disclosed to VMware and has not been actively exploited in campaigns.

Arctic Wolf has been tracking multiple intrusions where Cisco VPN account credentials were harnessed by Akira ransomware for initial access. In a recent Cisco PSIRT advisory, Cisco stated they were aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations. Our case data supports the observation that affected accounts did not have MFA enabled.

Threat actor groups maintain dark web shame sites to negotiate ransoms with their victims, name them, and leak their data as punishment for not paying. These sites serve as a major tool for threatening victims and securing ransom payments but are not a precise record of global cyber attacks. However, there’s a lot to learn from the dark web behavior observed in the first half of this year to help contextualize the current threat landscape.

There’s a sentiment that has, unfortunately, taken hold in the field of cybersecurity: Users are the weakest part of your environment. You can see why some may try to paint that picture. The statistics would seem to back it up: However, there’s a deeper truth hiding behind these statistics: It’s not the employees who are the weakest part of your security environment, it’s the training they receive.

On August 21, 2023, Ivanti published a knowledge base article on a critical authentication bypass vulnerability impacting Ivanti Sentry (CVE-2023-38035). For this vulnerability to be exploited, the System Management Portal which is hosted on port 8443 by default must be exposed to the internet. Successful exploitation of this vulnerability could lead to a remote unauthenticated threat actor making configuration changes to the server and the underlying Operating System (OS) as root.

On August 14th, 2023, cybersecurity company Tenable released a research advisory detailing two stack-based buffer overflow vulnerabilities, collectively tracked as CVE-2023-32560, impacting Ivanti Avalanche products version 6.4.0 and older. A threat actor could remotely exploit the vulnerabilities without user authentication by specifying long data type items to overflow the buffer.

On August 17th, 2023, Juniper Networks released out-of-band fixes for multiple vulnerabilities that could be chained together to achieve unauthenticated remote code execution (RCE) on SRX and EX series devices. The vulnerabilities impact the J-Web component of Junos OS, the operating system running on the devices.