Cisco said that unidentified state-sponsored cyber spies have been exploiting zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to break into government networks globally.
Cisco has not yet identified the initial attack vector. In a threat advisory, the vendor warned that the cyber actors had homed in on hacking network devices from Microsoft and other vendors. Wired reported that China is suspected of being behind the exploits.
The company said it discovered and has subsequently fixed two security flaws that the threat actors used as zero-days:
- CVE-2024-20353 (denial of service)
- CVE-2024-20359 (persistent local code execution)
To date, there are no workarounds to address either vulnerability. Cisco “strongly recommends” that all customers upgrade to fixed software versions.
Campaign Tracked as "ArcaneDoor"
Cisco Talos has dubbed the crew UAT4356 while Microsoft has identified it as STORM-1849. The campaign is being tracked as "ArcaneDoor."
Cisco first became aware of Arcane Door in January 2024 and surmised that the attackers had prepped to target the two zero-days since at least six months prior.
Edge devices have become a vector for advanced hackers because they sit at the network’s perimeter and can be difficult to monitor. Indeed, in a joint advisory, the cybersecurity agencies of Australia, United Kingdom and Canada said that the attacks are part of a larger trend of state-backed cyber spies targeting edge devices.
“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Cisco wrote in the blog post. It called perimeter network devices the “perfect intrusion point” for espionage campaigns.
“Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” Cisco said.
UAT4356 deployed two backdoors, “Line Runner” and “Line Dancer,” which were used “collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Cisco wrote.
Cisco credited a “vigilant customer” with reporting to its Product Security Incident Response Team (PSIRT) and its Talos security arm to “discuss security concerns with their Cisco Adaptive Security Appliances (ASA).”
That prompted a months-long investigation that included several external intelligence partners and spanned months, Cisco said.
The cyber crew used custom tooling that “demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco wrote.
CISA Issues Alert
In an alert, the Cybersecurity and Infrastructure Security Agency (CISA) said it had "not confirmed evidence of this activity affecting U.S. government networks at this time."
CISA said it has added CVE-2024-20353 (denial of service) and CVE-2024-20359 to its Known Exploited Vulnerabilities Catalog. The agency said it “strongly encourages” users and administrators to apply patches, “hunt for any malicious activity and report positive findings.”
CISA has directed all federal civilian agencies to apply the patches by May 1, 2024, signaling that it believes the vulnerabilities to be urgent.
Tom Kellermann, Contrast Security senior vice president of cyber strategy, said that cybersecurity companies are “increasingly targeted by nation states for the purposes of island hopping.”
He said it’s important to “remember that all cybersecurity companies develop software and in many cases they are not rigorous with their DevSecOps. This has been a banner year for zero days and thus runtime security must be implemented to mitigate the exposure.”