Attacks Against Cisco Firewall Platforms

In early 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of zero-day attacks that were targeting certain devices that were running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

A zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

This attack campaign has been named ArcaneDoor and although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. 

Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign to deliver custom malware and facilitate covert data collection on target environments. Cisco strongly recommends that all customers upgrade to fixed software versions.

Cisco Talos, which has named the activity ArcaneDoor, attributed it as the work of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). Britain's National Cyber Security Centre (NCSC) has also published a joint advisory and 2 malware analysis Reports and to help network defenders detect and mitigate malicious activity associated with these vulnerabilities.

Cisco has published details of three vulnerabilities affecting its ASA and FTD devices:

  • CVE-2024-20353:   A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) software could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. 
  • CVE-2024-20358:   A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 
  • CVE-2024-20359:   A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins which has been available in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it.  Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance that was uncovered during internal security testing.

The US Cybersecurity and Infrastructure Security Agency (CISA has now included the shortcomings to its Known Exploited Vulnerabilities catalogue, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The NCSC recommends following vendor best practice advice to mitigate these vulnerabilities. In this case, if you use Cisco ASA or Cisco FTD, you should take these priority actions: 

  • Monitor the vendor advisory and install the security update once it is available for your version.
  • Carry out continuous monitoring and threat hunting activities.  
  • If you believe you have been compromised, you should contact Cisco and if you are in the UK you should also inform the NCSC.

Only organisations using Cisco ASA or Cisco FTD are at risk. No specific configuration is required. Cisco FTD is only affected by CVE-2024-20358 when lockdown mode is enabled to restrict Linux shell access. Users should note that lockdown mode is disabled by default.  

NCSC   |   NCSC   |  Cisco    |   CISA   |    ASD   |  Splunk   |  Hacker News   |   Canadian Cybersecurity Centre   

You Might Also Read: 

Hackers Breach Cisco Security Network:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Germany Threatens Russia With 'Consequences' For 2023 Cyber Attack
Three Steps To Secure Your Organisation Against Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Information Security Media Group (ISMG)

Information Security Media Group (ISMG)

Information Security Media Group is the world’s largest media organization devoted solely to information security and risk management.

SAMATE

SAMATE

The Software Assurance Metrics And Tool Evaluation project is an inter-agency project between the US Department of Homeland Security and NIST.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

CybelAngel

CybelAngel

CybelAngel is a leading digital risk protection platform that detects and resolves external threats before these wreak havoc.

SecuPi

SecuPi

SecuPi delivers data-centric security with data-flow discovery, real-time monitoring, behavior analytics, and protection across web and enterprise applications and big data environments.

Simeio Solutions

Simeio Solutions

Simeio is a complete Identity and Access Management (IAM) solution provider that engages securely with anyone, anywhere, anytime.

Insight Partners

Insight Partners

Insight Partners is a leading global private equity and venture capital firm investing in growth-stage technology, software and Internet businesses.

Force Majeure

Force Majeure

Force Majeure specializes in cybersecurity, incident response, and digital forensics, with experience spanning more than a decade.

Thistle Technologies

Thistle Technologies

Thistle Technologies is building tools that help connected device manufacturers build security resiliency into devices.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

Responsive Technology Partners

Responsive Technology Partners

Responsive Technology Partners provides superior IT support services including cybersecurity and compliance, telephony, cloud services, cabling, access control, and camera systems.

Curatrix Technologies

Curatrix Technologies

Curatrix Technologies is a Managed IT Service provider based in Hampshire, UK, providing high quality and reliable Managed IT Services since 2015.

RST Cloud

RST Cloud

RST Cloud is a cutting-edge technology company that specialises in threat intelligence solutions for businesses of all sizes.

Vantyr

Vantyr

Vantyr's core mission is to safeguard the business-led adoption of SaaS applications by automating the lifecycle management and security of non-human identities.