Summary: Cisco has warned that a state-backed hacking group has been exploiting two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.
Threat Actor: UAT4356 | UAT4356
Victim: Government networks worldwide | government networks
Key Point :
- A state-backed hacking group, UAT4356, has been exploiting two zero-day vulnerabilities in Cisco’s ASA and FTD firewalls to breach government networks worldwide.
- The vulnerabilities allowed the threat actors to deploy previously unknown malware, including Line Dancer and Line Runner, to disable logging, provide remote access, and exfiltrate captured packets.
- Cisco has released security updates to fix the zero-days and urges customers to upgrade their devices to block any incoming attacks.
Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.
The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.
Even though Cisco has not yet identified the initial attack vector, it discovered and fixed two security flaws—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.
Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.
Exploited to backdoor Cisco firewalls
The two vulnerabilities allowed threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices.
One of the malware implants, Line Dancer, is an in-memory shellcode loader that helps deliver and execute arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets.
The second implant, a persistent backdoor named Line Runner, comes with multiple defense evasion mechanisms to avoid detection and allows the attackers to run arbitrary Lua code on the hacked systems.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco said.
“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.”
A joint advisory published today by the UK’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Signals Directorate’s Australian Cyber Security Centre says the malicious actors used their access to:
- generate text versions of the device’s configuration file so that it could be exfiltrated through web requests.
- control the enabling and disabling of the devices syslog service to obfuscate additional commands.
- modify the authentication, authorization and accounting (AAA) configuration so that specific actor-controlled devices matching a particular identification could be provided access within the impacted environment.
Cisco urges customers to upgrade
The company released security updates on Wednesday to fix the two zero-days and now “strongly recommends” all customers to upgrade their devices to fixed software to block any incoming attacks.
Cisco admins are also “strongly encouraged” to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
“Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” the company added.
Cisco also provides instructions on verifying the integrity of ASA or FTD devices in this advisory.
Earlier this month, Cisco warned of large-scale brute-force attacks targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
In March, it also shared guidance on mitigating password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
“An interesting youtube video that may be related to the article above”