Attacks Against Cisco Firewall Platforms

In early 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of zero-day attacks that were targeting certain devices that were running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

A zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

This attack campaign has been named ArcaneDoor and although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. 

Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign to deliver custom malware and facilitate covert data collection on target environments. Cisco strongly recommends that all customers upgrade to fixed software versions.

Cisco Talos, which has named the activity ArcaneDoor, attributed it as the work of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). Britain's National Cyber Security Centre (NCSC) has also published a joint advisory and 2 malware analysis Reports and to help network defenders detect and mitigate malicious activity associated with these vulnerabilities.

Cisco has published details of three vulnerabilities affecting its ASA and FTD devices:

  • CVE-2024-20353:   A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) software could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. 
  • CVE-2024-20358:   A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 
  • CVE-2024-20359:   A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins which has been available in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it.  Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance that was uncovered during internal security testing.

The US Cybersecurity and Infrastructure Security Agency (CISA has now included the shortcomings to its Known Exploited Vulnerabilities catalogue, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The NCSC recommends following vendor best practice advice to mitigate these vulnerabilities. In this case, if you use Cisco ASA or Cisco FTD, you should take these priority actions: 

  • Monitor the vendor advisory and install the security update once it is available for your version.
  • Carry out continuous monitoring and threat hunting activities.  
  • If you believe you have been compromised, you should contact Cisco and if you are in the UK you should also inform the NCSC.

Only organisations using Cisco ASA or Cisco FTD are at risk. No specific configuration is required. Cisco FTD is only affected by CVE-2024-20358 when lockdown mode is enabled to restrict Linux shell access. Users should note that lockdown mode is disabled by default.  

NCSC   |   NCSC   |  Cisco    |   CISA   |    ASD   |  Splunk   |  Hacker News   |   Canadian Cybersecurity Centre   

You Might Also Read: 

Hackers Breach Cisco Security Network:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Germany Threatens Russia With 'Consequences' For 2023 Cyber Attack
Three Steps To Secure Your Organisation Against Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BruCERT

BruCERT

BruCERT is the referral agency for dealing with computer-related and internet-related security incidents in Brunei Darussalam.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

CTM360

CTM360

CTM360 is a unified external security platform offering 24x7x365 Cyber Threat Management for detecting and responding to cyber threats.

Prompt

Prompt

Prompt supports the creation of partnerships and the setting up of industrial-institutional applied R&D projects for all ICT sectors.

RIT Global Cybersecurity Institute

RIT Global Cybersecurity Institute

At RIT's Global Cybersecurity Institute, we educate and train cybersecurity professionals; develop new cybersecurity and AI-based knowledge for industry, academia, and government.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Association of anti Virus Asia Researchers (AVAR)

Association of anti Virus Asia Researchers (AVAR)

AVAR's mission is to prevent the spread of and damage caused by malicious software, and to develop cooperative relationships among anti-malware experts in Asia.

Zeva

Zeva

Zeva solves complex identity and encryption challenges for the federal government and corporations around the globe.

Cloudsec Asia

Cloudsec Asia

Cloudsec Asia is Thailand's top-ranked cybersecurity consultant company. We offers security services to ensure that all your IT assets are reliable, accessible, and secure.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

CloudGuard

CloudGuard

CloudGuard is an AI-driven XDR platform that helps organisations to proactively detect and automatically remediate threats in real-time.

DHCO IT

DHCO IT

The DHCO IT team are experts in IT support, cyber security, cloud support and disaster recovery, and are Microsoft 365 partners.

Mobilen Communications

Mobilen Communications

Mobilen are dedicated to providing our customers with the highest level of secure data in transit and to bring privacy back to a mobile world.

Keeran Networks

Keeran Networks

Established in Edmonton in 1999, Keeran specializes in delivering comprehensive IT support and solutions aimed at optimizing technology investments for businesses.

Cloudsmith

Cloudsmith

Cloudsmith is the only cloud-native, global, universal artifact management platform for securely developing and distributing software.