Cisco ASA Devices Compromised by Zero-Day Exploits

Cyber Attack

State-Sponsored Threat Actor Exploits Cisco ASA Zero-Day Vulnerabilities (CVE-2024-20353, CVE-2024-20359)

Cisco Talos researchers have disclosed that a state-sponsored threat actor successfully compromised Cisco Adaptive Security Appliances (ASA) deployed on government networks worldwide using two zero-day vulnerabilities, identified as CVE-2024-20353 and CVE-2024-20359.

The attacks, attributed to the threat actor UAT4356 (tracked by Cisco Talos) and STORM-1849 (tracked by Microsoft), were first observed by a Cisco customer in early January 2024, although evidence suggests that the campaign began as early as November 2023, with indications of development efforts dating back to July 2023.


Custom Malware and Attack Vector

The campaign, named ArcaneDoor, utilizes custom malware components:

  • Line Dancer: A memory-resident shellcode interpreter used to upload and execute arbitrary shellcode payloads.
  • Line Runner: A backdoor designed to maintain persistence on compromised ASA devices.

The threat actor leverages the ASA's host-scan-reply field to deliver malicious shellcode through the Line Dancer interpreter, bypassing authentication and interacting with the device via POST requests, thus evading traditional management interfaces.


Capabilities of the Malware

Line Dancer enables various malicious activities, including disabling syslog, exfiltrating configuration data and packet captures, executing CLI commands, and preventing crash dumps to hinder forensic analysis. Meanwhile, Line Runner exploits legacy ASA capabilities to deploy an HTTP-based Lua backdoor that persists across reboots and upgrades.


Mitigation and Response

Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, along with indicators of compromise and Snort signatures. Organizations are urged to apply these patches immediately, as there are no viable workarounds for the vulnerabilities.

Additionally, organizations should monitor system logs for unauthorized configuration changes, unexpected reboots, and unusual credential activity. Cisco also issued a patch for CVE-2024-20358, which is unrelated to the ongoing attacks.


Collaborative Efforts and Targeted Attacks

Cisco researchers collaborated with Microsoft, Lumen Technologies, and government cybersecurity agencies from the US, Canada, Australia, and the UK to analyze these attacks. The threat actor's sophisticated tooling and specific targeting of devices indicate a clear focus on espionage and advanced knowledge of the targeted devices, consistent with state-sponsored activity.

ArcaneDoor is part of a broader trend of attacks targeting "edge" networking devices such as VPNs and firewalls, often attributed to Chinese state-sponsored actors. Cisco advises all organizations, regardless of their network equipment provider, to prioritize patching, centralized logging, and robust multi-factor authentication (MFA) to defend against similar threats and mitigate potential network compromises.


Key Takeaways

Gaining access to network devices allows threat actors to pivot into organizations, manipulate traffic, and monitor network communications, emphasizing the critical importance of securing network infrastructure against sophisticated threats like ArcaneDoor.