Cisco reports two flaws targeted by of state-sponsored hackers attacking government entities
Take action: If you are using Cisco Adaptive Security Appliance or Cisco Firepower Threat Defense, time to patch. At first glance both issues aren't critical but it's apparent that attackers have found another vector of initial attack - possibly phishing or endpoint compromise. If they did it once, they'll do it again. Plan to apply the patches.
Learn More
Cisco Systems Inc. is warning about a state-sponsored cyberattack, codenamed "ArcaneDoor," that is targeting government networks since November using two zero-day vulnerabilities.
These attacks have been utilizing previously unknown security flaws ins Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense Software:
The vulnerabilities exploited by the attackers are CVE-2024-20353 and CVE-2024-20359.
- CVE-2024-20353 (CVSS score 8.6) is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a Cisco ASA and Cisco Firepower Threat Defense that could allow an unauthenticated, remote attacker to cause a system reload, leading to a denial of service condition.
- CVE-2024-20359 (CVSS score 6), is a vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins. It could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability..
The attackers deployed sophisticated tools, including a memory-resident shellcode interpreter named "Line Dancer," which facilitates the upload and execution of arbitrary shellcode payloads. Another tool used is "Line Runner," a backdoor designed to exploit CVE-2024-20359, enabling persistent access and control over the compromised devices.
The campaign was initially identified when a customer reported suspicious activities on their systems to Cisco, leading to further discovery of intrusions affecting various government networks. These intrusions date back to early November.
The investigation has yet to pinpoint the initial attack vector. However, Cisco has identified the use of custom tools and techniques indicating a high level of espionage capability, typical of state-sponsored entities. This activity demonstrates an advanced understanding of the targeted devices, suggesting a primary focus on espionage.
