Update on Cisco Security: State-Backed Hackers Exploit Zero-Day Vulnerabilities
Cisco, one of the world’s leading technology and networking companies, has issued a warning regarding an ongoing cyber-espionage campaign. According to the company, a state-backed hacking group has been using two previously unknown vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to access government networks around the globe since November of 2023.
The hackers, who go by the codenames UAT4356 (designated by Cisco Talos) and STORM-1849 (named by Microsoft), initiated their infiltration in early November 2023 under a campaign called ArcaneDoor.
Although the initial attack vector has not been identified, Cisco discovered and addressed two security flaws (CVE-2024-20353 and CVE-2024-20359) that allowed the attackers to remotely execute malicious code and initiate a denial of service on the compromised devices. These exploits were used as zero-days by the malicious actors.
Cisco became aware of the ArcaneDoor campaign in January of 2024 and found evidence that the hackers had been working on these exploits since at least July of 2023.
Exploited Vulnerabilities Used to Backdoor Cisco Firewalls
These two zero-day vulnerabilities allowed the hackers to implant previously unknown malware on compromised ASA and FTD devices. One of the malware implants, known as Line Dancer, facilitates the delivery and execution of arbitrary shellcode payloads, enabling the hackers to disable logging, establish remote access, and exfiltrate captured packets.
The second implant, named Line Runner, is a persistent backdoor designed to evade detection and allow the threat actors to run arbitrary Lua code on the compromised systems.
In a statement, Cisco said, “This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor.”
The hackers used their access to the compromised devices to perform various actions, including modifying configurations, conducting reconnaissance, capturing and exfiltrating network traffic, and potentially moving laterally within the network.
The UK’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Signals Directorate’s Australian Cyber Security Centre released a joint advisory today, stating that the hackers used their access to:
- Generate text versions of the device’s configuration file and exfiltrate it through web requests.
- Disable the devices’ syslog service to conceal additional commands.
- Modify the authentication, authorization, and accounting (AAA) configurations to allow access for specific devices controlled by the hackers within the affected environment.
Upgrade Recommended by Cisco
Cisco promptly released security updates on Wednesday to address the two zero-day vulnerabilities and is now “strongly recommending” that all customers upgrade their devices to the fixed software to prevent any further attacks.
The company also encourages administrators to closely monitor system logs for any unusual activity, such as unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
Cisco also advises all network equipment providers to ensure their devices are properly patched, configured to log to a secure central location, and protected with strong, multi-factor authentication (MFA).
The company has also provided instructions on how to verify the integrity of ASA or FTD devices in its advisory.
Earlier this month, Cisco warned of large-scale brute-force attacks targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
In March, Cisco also shared guidance on mitigating password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.