Exploiting Cisco Products' 0-Day Vulnerabilities for Infiltrating Government Networks

Cisco has warned that since November 2023, a group of “government hackers” has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) perimeter network devices to compromise state networks worldwide.

Cisco Talos specialists track this group under the identifier UAT4356, classified by Microsoft as STORM-1849. The ongoing espionage campaign, which began in November 2023, is monitored by researchers under the moniker ArcaneDoor.

Cisco became aware of ArcaneDoor in early January 2024 when evidence was found that malicious actors had been testing and developing exploits for vulnerabilities since July 2023. Although Cisco has not yet determined the initial attack vector, the company reports that it has identified and addressed two mentioned issues: CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution). The attackers leveraged these bugs as 0-days.

The vulnerabilities allowed attackers to introduce previously unknown malware into victim systems and establish a foothold on compromised ASA and FTD devices.

One of the malwares, Line Dancer, was a shellcode loader in memory that aided in delivering and executing arbitrary payloads to disable logging, provide remote access, and exfiltrate captured packets.

The second malware, a persistent backdoor named Line Runner, was equipped with multiple detection evasion mechanisms and allowed malicious actors to execute arbitrary Lua code on compromised systems.

“The perpetrators used specialized tools indicating a clear focus on espionage and deep knowledge of the compromised devices, which are distinctive characteristics of experienced state-sponsored actors,” Cisco writes. “As part of this campaign, UAT4356 deployed two backdoors, Line Runner and Line Dancer, which collectively were used to carry out malicious activities, including configuration changes, reconnaissance, network traffic interception/exfiltration, and likely lateral movement.”

Simultaneously with Cisco, the National Cyber Security Centre of the United Kingdom (NCSC), the Canadian Cyber Centre, and the Australian Cyber Security Centre (ACSC) also disclosed a warning. Authorities stated that the perpetrators used the gained access to:

  • generate text versions of device configuration files for theft via web requests;
  • control the enabling and disabling of syslog service for masking additional commands;
  • alter authentication, authorization, and accounting (AAA) settings to allow devices under the attackers’ control and corresponding to a specified identifier to access the compromised environment.

As the company has already released updates to address both vulnerabilities, it strongly advises all customers to update their devices to prevent any potential attacks.

Cisco administrators are also recommended to monitor system logs for any unplanned reboots, unauthorized configuration changes, or suspicious activity involving credentials.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment