Skip to content

Unveiling Akira: Persistent Threat Exploiting CVE-2020-3259 Demands Urgent Action 


Akira, the notorious cyber threat group, continues to unleash turmoil across Europe, leaving a trail of compromised systems and vulnerable infrastructures in its wake. In a recent advisory, the Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on the group’s exploitation of the CVE-2020-3259 vulnerability, urging organizations to patch their systems immediately. 

Despite the vulnerability being identified over three years ago, research by our Threat Intelligence Team at NTT Security reveals a shocking truth. More than 400 devices in Europe remain susceptible to Akira’s malicious activities. With the threat landscape evolving rapidly, the imperative to fortify defences and safeguard against cyber intrusions has never been more pressing. 

Akira’s Campaign focusing on Nordic countries 

Within just the first two months of 2024, Akira seized headlines with its impactful assaults on numerous Nordic organizations, notably targeting TietoEvry and Kalmar kommun. The repercussions reverberated widely, with over 120 organizations bearing the brunt of the TietoEvry attack alone.  Focused primarily on Nordic countries, Akira’s reach extends far beyond geographical boundaries, posing a significant threat to organizations worldwide. Leveraging vulnerabilities such as CVE-2020-3259, Akira infiltrates networks with alarming efficiency, exploiting weaknesses in internet-facing devices to gain unauthorized access. 

Since the emergence of Akira ransomware in March 2023, the group has directly impacted over 150 organizations. Impressively, in February 2024 alone, Akira infiltrated the systems of more than 20 organizations, signaling a formidable force in the cybersecurity landscape.

What is CVE-2020-3259? 

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device. If exploited, this vulnerability could result in the exposure of confidential information, including plaintext usernames and passwords stored in memory. This could enable unauthorized remote access to the device, compromising its security and potentially leading to further exploitation or data breaches. 

Research by the Threat Intelligence Team at NTT Security  

Our investigation into the prevalence of CVE-2020-3259 reveals a disturbing reality: despite being a known vulnerability for over three years, hundreds of devices across Europe remain vulnerable to Akira’s exploitation. With 616 devices identified in European countries, including 423 outside the Commonwealth of Independent States (CIS), the scale of the threat cannot be overstated. 

Heatmap illustrating the distribution of vulnerable devices across European countries (excluding CIS countries) 

It is worth noting that our exclusion of CIS countries from the analysis is due to the Russian-origin cybercrime gang’s avoidance of targeting these regions. This is a common strategy from Russian or east-European based threat actors to avoid interest and pressure from local law-enforcement. However, the threat posed by Akira persists, with evidence suggesting active exploitation of CVE-2020-3259 on a global scale. 

It is urgent for organizations to patch their systems 

The urgency of the situation is underscored by CISA’s advisory, urging organizations to patch their systems immediately to mitigate the risk of falling victim to Akira’s malicious activities. Despite intensive efforts to raise awareness and promote cybersecurity best practices, over 1000 devices worldwide remain vulnerable to this three-year-old vulnerability. 

Key take away from the investigation 

In conclusion, the threat posed by Akira and its exploitation of CVE-2020-3259 serves as an important reminder of the ever-present danger of cyber attacks. As organizations cope with increasingly sophisticated threats, the importance of proactive cybersecurity measures cannot be overstated. By prioritizing patching of internet-facing devices and remaining vigilant against emerging threats, organizations can strengthen their defences and safeguard against the pervasive threat of cyber intrusion.  

Our urgent recommendation

Patch all your Cisco Internet Facing Devices using this patch

Are you unsure if your business is safe and protected from cybercriminals? Let’s talk. 

By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.