Attacks Against Cisco Firewall Platforms

In early 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of zero-day attacks that were targeting certain devices that were running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

A zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

This attack campaign has been named ArcaneDoor and although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. 

Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign to deliver custom malware and facilitate covert data collection on target environments. Cisco strongly recommends that all customers upgrade to fixed software versions.

Cisco Talos, which has named the activity ArcaneDoor, attributed it as the work of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). Britain's National Cyber Security Centre (NCSC) has also published a joint advisory and 2 malware analysis Reports and to help network defenders detect and mitigate malicious activity associated with these vulnerabilities.

Cisco has published details of three vulnerabilities affecting its ASA and FTD devices:

  • CVE-2024-20353:   A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) software could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. 
  • CVE-2024-20358:   A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 
  • CVE-2024-20359:   A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins which has been available in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it.  Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance that was uncovered during internal security testing.

The US Cybersecurity and Infrastructure Security Agency (CISA has now included the shortcomings to its Known Exploited Vulnerabilities catalogue, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The NCSC recommends following vendor best practice advice to mitigate these vulnerabilities. In this case, if you use Cisco ASA or Cisco FTD, you should take these priority actions: 

  • Monitor the vendor advisory and install the security update once it is available for your version.
  • Carry out continuous monitoring and threat hunting activities.  
  • If you believe you have been compromised, you should contact Cisco and if you are in the UK you should also inform the NCSC.

Only organisations using Cisco ASA or Cisco FTD are at risk. No specific configuration is required. Cisco FTD is only affected by CVE-2024-20358 when lockdown mode is enabled to restrict Linux shell access. Users should note that lockdown mode is disabled by default.  

NCSC   |   NCSC   |  Cisco    |   CISA   |    ASD   |  Splunk   |  Hacker News   |   Canadian Cybersecurity Centre   

You Might Also Read: 

Hackers Breach Cisco Security Network:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Germany Threatens Russia With 'Consequences' For 2023 Cyber Attack
Three Steps To Secure Your Organisation Against Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

CoSoSys Endpoint Protector

CoSoSys Endpoint Protector

Endpoint Protector by CoSoSys is an advanced all-in-one DLP solution for Windows, macOS, and Linux, that puts an end to unintentional data leaks and protects from malicious data theft.

NICE Systems

NICE Systems

NICE Systems provide software solutions to ensure compliance, fight financial crime, and safeguard people and assets.

Arthur J Gallagher & Co

Arthur J Gallagher & Co

Arthur J. Gallagher & Co. is a global insurance brokerage and risk management services firm. Services include Cyber Liability insurance.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

Nucleon

Nucleon

Nucleon enables cybersecurity tools, organizations and software developers to become proactive by blocking threats before they become breaches.

Mvine

Mvine

Mvine's primary business is authoring and selling Cyber-Secure Platforms for Collaboration Portals and for Identity Management as well as delivering cloud support services.

Secure IT Disposals

Secure IT Disposals

Secure IT Disposals specialise in professional Computer Recycling, Computer Disposals, Computer Destruction, Data Erasure and end-of-lifecycle solutions.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

SearchInform

SearchInform

SearchInform is a leading risk management product developer, protecting business and government institutions against data theft, harmful human behavior, compliance breaches and incomplete audit.

Canopius Group

Canopius Group

Canopius is a global specialty lines insurance and reinsurance company and one of the top 10 insurers in the Lloyd’s insurance market.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

Kalima Systems

Kalima Systems

Kalima’s mission is to securely collect, transport, store and share Industrial IoT (IIoT) trusted data in real time with devices, services and mobile workers.

Mirai Security

Mirai Security

Mirai Security are a cyber security company that specializes in Governance, Risk Management and Compliance, Cloud Security and Application Security.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".