Cisco zero-day flaws in ASA, FTD software under attack

A previously unknown nation-state threat actor targeted government networks using two zero-day vulnerabilities affecting Cisco products in a campaign referred to as "ArcaneDoor."

The two zero-days, which were disclosed and patched Wednesday, affect Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. CVE-2024-20353 is a high-severity denial-of-service vulnerability capable of remote code execution; CVE-2024-20359 is a high-severity persistent local code execution vulnerability.

According to an advisory Cisco published, CVE 2024-20353 and CVE-2024-20359 have been exploited in the wild as part of the ArcaneDoor threat campaign.

"Although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign," the advisory read. "Cisco strongly recommends that all customers upgrade to fixed software versions."

The networking vendor detailed ArcaneDoor in a Wednesday blog post authored by Cisco Talos researchers. Cisco Talos said the threat actor behind the campaign is a previously unknown nation-state adversary tracked as UAT4356 by Talos and Storm-1849 by the Microsoft Threat Intelligence Center, and that the campaign "is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors."

Researchers said the campaign was discovered earlier this year after a customer identified ASA security concerns and contacted Cisco to address them. The investigation, which included external partners in the intelligence community, revealed two backdoors, named Line Runner and Line Dancer, as well as two vulnerabilities. The backdoors were used for "configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement," according to Cisco Talos.

"This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," the blog post read.

The investigation also revealed a third vulnerability in Cisco ASA and FTD software that was not exploited by attackers. CVE-2024-20358 is a medium-severity command injection vulnerability, which Cisco also patched.

Cisco Talos said the campaign involved a "sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers." An initial attack vector has not been identified.

According to a timeline included in the blog post, related threat activity began at least as early as November of last year.

"The investigation that followed identified additional victims, all of which involved government networks globally. During the investigation, we identified actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024," Cisco said. "Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023."

TechTarget Editorial contacted Cisco for additional comment to clarify whether all victims were associated with governments, but the company declined to comment. Instead, a spokesperson offered the following statement:

During the resolution of a Cisco customer support case, we discovered three previously unknown vulnerabilities impacting devices running Cisco Adaptive Security Appliances (ASA) or Cisco Firepower Threat Defense (FTD) software. We published security advisories for customers with software updates and other guidance to keep them safe. We strongly urge customers to take immediate action as outlined in the advisories and in this blog by Cisco Talos, our cyber threat intelligence organization.

In the case of all three flaws, no workarounds are available. "Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability," the company said in the advisories for the two zero-day flaws. "Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity."

Cisco Talos credited the discovery of CVE 2024-20353 and CVE-2024-20359 to four government agencies: CISA; the Australian Signals Directorate's Australian Cyber Security Centre; the Canadian Centre for Cyber Security, a part of the Communications Security Establishment; and the U.K.'s National Cyber Security Centre (NCSC).

In a security alert, CISA said it added the two zero-days to its Known Exploited Vulnerabilities catalog, and it "strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, [and] report positive findings to CISA." Canada's cybersecurity agency published an advisory including indicators of compromise, and the NCSC released a malware analysis of Line Runner and Line Dancer.

Attacks on network boundary or edge devices such as VPNs, firewalls and routers have been an ongoing concern for the infosec community in recent years. Cyber insurer Coalition this week published its "2024 Cyber Claims Report," which detailed the risks posed by running unpatched, internet-facing devices. In the report, Coalition found that insurance claims for Cisco ASA users spiked in 2023. "Businesses with internet-exposed Cisco ASA devices were nearly five times more likely to experience a claim in 2023," the report stated.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.