GossiTheDog, 3 months ago Two days ago, mass exploitation of Cisco AnyConnect CVE-2020-3580 began, per @greynoise data. It’s another Positive Technologies vuln. SAML auth requests. 77 IP addresses are hammering the internet now. https://viz.greynoise.io/query?gnql=tags%3A%22Cisco%20ASA%20XSS%20Attempt%22 This isn’t to be confused with the other 2020 AnyConnect CVE being used by Akira ransomware group. There are now three Cisco ASA vulns being used by Akira and Lockbit. #threatintel
Two days ago, mass exploitation of Cisco AnyConnect CVE-2020-3580 began, per @greynoise data. It’s another Positive Technologies vuln. SAML auth requests.
77 IP addresses are hammering the internet now. https://viz.greynoise.io/query?gnql=tags%3A%22Cisco%20ASA%20XSS%20Attempt%22
This isn’t to be confused with the other 2020 AnyConnect CVE being used by Akira ransomware group.
There are now three Cisco ASA vulns being used by Akira and Lockbit. #threatintel
DavidPenington, 3 months ago @GossiTheDog Does this AnyConnect vulnerability have any association with the CitrixBleed Netscaler vulnerability?
@GossiTheDog Does this AnyConnect vulnerability have any association with the CitrixBleed Netscaler vulnerability?
GossiTheDog, 3 months ago It looks like the IPs involved may be linked to a ransomware group. I think what they're doing is fingerprinting patching status of AnyConnect.
It looks like the IPs involved may be linked to a ransomware group. I think what they're doing is fingerprinting patching status of AnyConnect.
barunick, 3 months ago @GossiTheDog @greynoise well that’s certainly interesting. Thanks for the heads up! #threatintel
@GossiTheDog @greynoise well that’s certainly interesting. Thanks for the heads up! #threatintel
Add comment