May 2, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Google Chrome Vulnerabilities
April 25, 2024
CVE-2024-20358 – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Vulnerability
April 25, 2024
Multiple Google Chrome Vulnerabilities
April 25, 2024
CVE-2024-20358 – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Vulnerability
April 25, 2024
Severity
High
Analysis Summary
Two zero-day vulnerabilities in Cisco networking equipment were used by a recent malware campaign to distribute bespoke malware and enable surreptitious data collecting on target environments.
Cisco Talos, which tracks the threat actor under the name UAT4356 (also known as Storm-1849 by Microsoft), called the campaign ArcaneDoor and attributed it to the activities of a hitherto unreported skilled state-sponsored attacker. 'Line Runner' and 'Line Dancer,' two backdoors that UAT4356 distributed as part of this operation were utilized to carry out malicious actions on-target, including reconfiguration, network traffic capture/exfiltration, configuration change, and maybe lateral movement.
Early in January 2024, the intrusions were discovered and verified, and they involved the exploitation of two vulnerabilities:
- CVE-2024-20353 (CVSS: 8.6): Denial-of-service vulnerability in the web services of the Cisco Adaptive Security Appliance and Firepower Threat Defense Applications.
- CVE-2024-20359 (CVSS: 6.0): Permanent Local Code Execution Vulnerability in Firepower Threat Defense Software and Cisco Adaptive Security Appliance.
It's important to remember that a zero-day exploit is a tactic or assault used by a malevolent actor to take advantage of an unidentified security flaw to get access to a system. The second vulnerability requires administrator-level privileges to exploit, but it permits a local attacker to run any code with root-level access. A command injection vulnerability in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was found during internal security testing is addressed in addition to CVE-2024-20353 and CVE-2024-20359.
It is yet uncertain which specific initial access method was utilized to breach the devices, although as early as July 2023, UAT4356 is reported to have been preparing for it. Two implants, Line Dancer and Line Runner, are then deployed after a successful foothold. Line Dancer is an in-memory backdoor that allows attackers to upload and run any shell code payload, including packet captures and system log disablement.
However, by taking advantage of the previously described zero-days, Line Runner is a persistent HTTP-based Lua implant that is deployed on the Cisco Adaptive Security Appliance (ASA) and is designed to withstand reboots and updates. It has been seen being used to retrieve data that Line Dancer has staged. It is possible that Line Runner—possibly acting as a persistent backdoor or in situations where the malicious actors have not yet given an affected ASA its whole operational attention—may be on a compromised device even if Line Dancer is not.
UAT4356 is reported to have contributed to the attack's sophistication and elusiveness by paying close attention to concealing digital traces at every stage and by using complex techniques to avoid memory forensics and reduce the likelihood of detection. This implies that the threat actors are also well aware of the forensic procedures that Cisco frequently uses to validate network device integrity, as well as the internal workings of the ASA itself.
Although it's unknown exactly which nation is behind ArcaneDoor, state-sponsored hackers from China and Russia have previously attacked Cisco routers for cyber espionage. Additionally, Cisco Talos did not say how many customers were affected by these intrusions. The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) database by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and federal agencies are required to implement the vendor-provided remedies by May 1, 2024.
Given the recent spate of attacks against Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware, it is clear that endpoint detection and response (EDR) solutions are not always present on edge devices and platforms, such as email servers, firewalls, and VPNs.
Devices on perimeter networks are ideal points of penetration for operations centered on espionage. These devices must be regularly and quickly patched, using the most recent hardware and software versions and settings, and actively monitored from a security standpoint because they are a vital path for data entering and leaving the network. An actor can immediately pivot into an organization, divert or change traffic, and monitor network communications by gaining control of these devices.
Impact
- Sensitive Data Theft
- Denial of Service
- Code Execution
- Cyber Espionage
Indicators of Compromise
IP
- 192.36.57.181
- 185.167.60.85
- 185.227.111.17
- 176.31.18.153
- 172.105.90.154
- 185.244.210.120
- 45.86.163.224
Remediation
- Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.