This advisory is for organizations that use Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. If your organization does not use this platform, this notification may be discarded.
Summary
Cisco has noted activity consistent with a sophisticated attack chain likely attributable to state-sponsored actors. The attack leverages customized malware which is leveraged to execute commands. As Cisco investigates this activity, they have uncovered two important vulnerabilities which have had patches issued for them.
The ArcaneDoor campaign, tracked as UAT4356 by Cisco Talos and STORM-1849 by Microsoft Threat Intelligence Center, is a sophisticated state-sponsored espionage operation targeting network perimeter devices like Cisco Adaptive Security Appliances (ASA). These devices are critically important because they facilitate data flow into and out of networks.
Cisco Talos, benefiting from its visibility into network hygiene due to Cisco's role as a major network infrastructure vendor, was alerted early in 2024 about suspicious activity on an ASA device. This initiated a months-long investigation involving external partners that resulted in the discovery of two backdoors, "Line Runner" and "Line Dancer." These backdoors enable configuration modification, reconnaissance, traffic capturing and exfiltration, and potentially lateral movement.
Two vulnerabilities were uncovered during the investigation, tracked as CVE-2024-20353 and CVE-2024-20359, through which the attackers potentially deployed their malware. Cisco advises customers to promptly patch these vulnerabilities following their security advisories, implement strong multi-factor authentication (MFA), and ensure device logging is configured correctly.
CVE-2024-20353 – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
CVSSv3: 8.6
Vulnerability present in the management and VPN web servers on Cisco ASA and Firepower may allow a remote, unauthenticated attacker to cause the device to reload unexpectedly. Vulnerabilities of this nature can be used to create a Denial of Service (DOS) condition and also used to load malware and create persistence on the device.
CVE-2024-20359 - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
CVSSv3: 6.0
A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.
Affected Platforms
Vulnerable ASA and FTD products are identified by the have a vulnerable configuration rather than a specific version number.
A full list of recommendations and currently known IOCs are provided by Talos Intelligence at: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
Additional Resources
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response