Networking giant Cisco warned that a group of state-sponsored hackers exploited zero-days in its firewall appliances to spy on government networks over the last several months.
Cisco in a Wednesday warning said that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls were exploited by a state-backed hacking group since November 2023 to infiltrate government networks globally.
Identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers initiated their cyber-espionage campaign, dubbed “ArcaneDoor,” through targeting of vulnerable edge devices in early November 2023.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos said.
Discovery and Details of the Two Cisco Zero-Days
Despite the absence of an identified initial attack vector, Cisco detected and rectified two security flaws – CVE-2024-20353, a denial-of-service bug and CVE-2024-20359, a persistent local code execution bug – which the threat actors used as zero-days.
Cisco became aware of the ArcaneDoor campaign earlier this year but said the attackers had been testing and developing exploits for the two zero-days since at least July 2023. “The investigation that followed identified additional victims, all of which involved government networks globally,” Cisco Talos added.
The exploited vulnerabilities facilitated the deployment of previously unknown malware, allowing threat actors to establish persistence on compromised ASA and FTD devices. One such malware implant dubbed “Line Dancer,” acted as an in-memory shellcode loader, enabling the execution of arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets.
The second implant, a persistent backdoor known as “Line Runner,” included various defense evasion mechanisms to evade detection and enable the execution of arbitrary Lua code on compromised systems.
Perimeter network devices like the ASA and FTD firewall appliances “are the perfect intrusion point for espionage-focused campaigns,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”
The networking and security giant said it had observed a “dramatic and sustained” increase in the targeting of these devices in the past two years, especially those deployed in the telecommunications and energy sectors as “critical infrastructure entities are likely strategic targets of interest for many foreign governments,” Cisco explained.
What Cybersecurity Agencies Said
A joint advisory published today by the UK’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre outlined additional activity undertaken by the threat actors:
– They generated text versions of the device’s configuration file for exfiltration through web requests.
– They controlled the enabling and disabling of the devices syslog service to obfuscate additional commands.
– They modified the authentication, authorization, and accounting (AAA) configuration to provide access to specific actor-controlled devices within the impacted environment.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day bugs to its Known Exploited Vulnerabilities Catalog and encouraged users to apply the necessary updates, hunt for malicious activity, and report any positive findings to the agency.
Cisco released security updates on Wednesday to address the two zero-days and recommended all customers to upgrade their devices to the fixed software version to mitigate potential attacks. Cisco asked administrators to monitor system logs for signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
The company also provided instructions on verifying the integrity of ASA or FTD devices in the advisory.
Espionage Actors Increasingly Using Edge Device Zero-Days
Although no attribution was made for the ArcaneDoor campaign a recent trends report from Google security firm Mandiant fingered Chinese hackers for increasingly targeting edge devices like VPN appliances, firewalls, routers, and IoT tools in espionage attacks. Mandiant observed a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated hackers.
“China-nexus attackers have gained access
to edge devices via exploitation of vulnerabilities, particularly
zero-days, and subsequently deployed custom malware
ecosystems,“ Mandiant said.
The security firm added that it is likely to see continued deployment of custom malware ecosystems from Chinese espionage groups that are tailored for the device and operation at hand.
“This approach provides several advantages such as the increased ability to remain undetected, reduced complexity and increased reliability, and a reduced malware footprint.“
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.