Cisco Xero Day Vulnerabilities

12437376265?profile=RESIZE_400xA new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.   Cisco Talos, which named the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).  "UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement," a Talos spokesman reported.[1]

The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities:

  • CVE-2024-20353 (CVSS score: 8.6) - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
  • CVE-2024-20359 (CVSS score: 6.0) - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

A zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.  The US Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by 01 May 2024.

The exact initial access pathway used to breach the devices is presently unknown, although UAT4356 is said to have started preparations for it as early as July 2023.  A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an in-memory backdoor that enables attackers to upload and execute arbitrary shellcode payloads, including disabling system logs and exfiltrating packet captures.

Line Runner is a persistent HTTP-based Lua implant installed on the Cisco Adaptive Security Appliance (ASA) by leveraging the aforementioned zero-days such that it can survive across reboots and upgrades.  It has been observed being used to fetch information staged by Line Dancer.  It is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors).

At every phase of the attack, UAT4356 is said to have demonstrated meticulous attention to hiding digital footprints and the ability to employ intricate methods to evade memory forensics and lower the chances of detection, contributing to its sophistication and elusive nature.  This also suggests that the threat actors have a complete understanding of the inner workings of the ASA itself and of the "forensic actions commonly performed by Cisco for network device integrity validation."

Exactly which country is behind ArcaneDoor is unclear, however both Chinese and Russian state-backed hackers have targeted Cisco routers for cyber espionage purposes in the past.  Cisco Talos also did not specify how many customers were compromised in these attacks.

The development highlights the increased targeting of edge devices and platforms such as email servers, firewalls, and VPNs that traditionally lack endpoint detection and response (EDR) solutions, as evidenced by the recent string of attacks targeting Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware.  "Perimeter network devices are the perfect intrusion point for espionage-focused campaigns," a Talos researcher said.  "As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.  Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications."

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://thehackernews.com/2024/04/state-sponsored-hackers-exploit-two.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!