Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances (ASA) used on government networks across the globe and use two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) to install backdoors on them, Cisco Talos researchers have shared on Wednesday.
First confirmed activity observed by a Cisco customer dates to early January 2024 but the actual attacks started in November 2023. “Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023,” the researchers added.
The custom malware
The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown.
The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:
- Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
- Line Runner, a backdoor to maintain persistence.
“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.
“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”
Line Dancer has been used to disable syslog (the logging protocol), exfiltrate the command show configuration and packet captures, execute CLI commands, force the device to skip creating a crash dump when it crashes (to stymie forensic analysis), and create ways to always be able to remotely connect to the device.
Line Runner exploits functionality related to a legacy ASA capability to find a specific LUA file, unzip it, execute it and delete it. The scripts contained in it allowed the threat actor to maintain a HTTP-based Lua backdoor on the device that will persist despite reboots and upgrades.
Patch, investigate, respond
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Organizations using Cisco ASA are advised to implement the patches as soon as possible as there are no workarounds that can address the two vulnerabilities.
“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.
Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.
Targeted attacks
Cisco researchers worked on analyzing these attacks with the help of several companies (Microsoft, Lumen Technologies) and governmental cybersecurity agencies from the US, Canada, Australia and the UK.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” the researchers noted.
The sophisticated anti-forensic measures employed, the use of zero-days, and the focus on specific targets only reinforced that conclusion.
ArcaneDoor is the latest in a series of campaigns aimed at compromising “edge” networking devices such as VPNs and firewalls, most of which have been attributed to Chinese state-sponsored hackers.
“Further, network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — network devices from Microsoft and other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” Cisco Talos warned.
“Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”
UPDATE (April 25, 2024, 06:10 a.m. ET):
The recently released Coalition 2024 Cyber Claims Report says businesses with internet-exposed Cisco ASA devices were nearly five times more likely to experience a cyber insurance claim in 2023.