Attacks Against Cisco Firewall Platforms

In early 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of zero-day attacks that were targeting certain devices that were running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

A zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

This attack campaign has been named ArcaneDoor and although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. 

Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign to deliver custom malware and facilitate covert data collection on target environments. Cisco strongly recommends that all customers upgrade to fixed software versions.

Cisco Talos, which has named the activity ArcaneDoor, attributed it as the work of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). Britain's National Cyber Security Centre (NCSC) has also published a joint advisory and 2 malware analysis Reports and to help network defenders detect and mitigate malicious activity associated with these vulnerabilities.

Cisco has published details of three vulnerabilities affecting its ASA and FTD devices:

  • CVE-2024-20353:   A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) software could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. 
  • CVE-2024-20358:   A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 
  • CVE-2024-20359:   A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins which has been available in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it.  Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance that was uncovered during internal security testing.

The US Cybersecurity and Infrastructure Security Agency (CISA has now included the shortcomings to its Known Exploited Vulnerabilities catalogue, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The NCSC recommends following vendor best practice advice to mitigate these vulnerabilities. In this case, if you use Cisco ASA or Cisco FTD, you should take these priority actions: 

  • Monitor the vendor advisory and install the security update once it is available for your version.
  • Carry out continuous monitoring and threat hunting activities.  
  • If you believe you have been compromised, you should contact Cisco and if you are in the UK you should also inform the NCSC.

Only organisations using Cisco ASA or Cisco FTD are at risk. No specific configuration is required. Cisco FTD is only affected by CVE-2024-20358 when lockdown mode is enabled to restrict Linux shell access. Users should note that lockdown mode is disabled by default.  

NCSC   |   NCSC   |  Cisco    |   CISA   |    ASD   |  Splunk   |  Hacker News   |   Canadian Cybersecurity Centre   

You Might Also Read: 

Hackers Breach Cisco Security Network:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Germany Threatens Russia With 'Consequences' For 2023 Cyber Attack
Three Steps To Secure Your Organisation Against Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BCS, The chartered Institute for IT

BCS, The chartered Institute for IT

BCS provides IT professionals with up to date and relevant certifications enabling them to manage IT security effectively within their budget.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

Acunetix

Acunetix

Acunetix is a leading web vulnerability scanner, widely acclaimed to include the most advanced SQL injection and XSS black box scanning technology.

Cyber Command

Cyber Command

Our Managed IT service allows clients to offload the management of day-to-day computer, server, and networking support to our team of professionals.

ProPay

ProPay

ProPay provides secure payment solutions for organizations ranging from small businesses to large enterprises requiring complex payment solutions.

DivvyCloud

DivvyCloud

DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges.

ThreatModeler

ThreatModeler

ThreatModeler is an automated threat modeling solution that fortifies an enterprise’s Software Development Lifecycle by identifying, predicting and defining threats.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

AirITSystems

AirITSystems

AirITSystems offer companies comprehensive IT security solutions that take all security considerations into account and are tailored to your business.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Quad9 Foundation

Quad9 Foundation

Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system's performance, plus, it preserves and protects your privacy.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

ABPCyber

ABPCyber

ABPCyber offers holistic cybersecurity solutions spanning DevSecOps, advisory and consultancy, designing and integration, managed operations, and cybersecurity investment optimization.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.

SecAI

SecAI

SecAI is an innovative threat intelligence-driven, and AI-powered vendor aiming at cyber threat detection and response.