Back to BlogSecurity Detection Update – 2024-5-7
Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.
Introduction and Overview
This week we have spent supporting our new release of Blumira Investigate by doing our best to ensure as much relevant data is available in the feature as possible. If you haven’t seen it yet, take a look at the blog post linked above or try it out in the product! Also, as always, our emerging threat detections are one of our highest priorities.
New Detections
This update introduces:
Cisco ASA: ArcaneDoor IOC IP Addresses
Traffic to or from an IP address associated with ArcaneDoor activity has been observed on a Cisco ASA device. See the IDE Content that has been updated below for more information.
- Status: Enabled
- Log type requirement: ASA System and ASA Traffic
IDE Content
Of course we’re going to sneak some of our other content into detection updates!
Updated: Cisco ASA and FTD Firewalls Targeted by State-Sponsored Hacking Group “ArcaneDoor”
On April 24th, 2024, Cisco disclosed that a state-sponsored hacking group, dubbed “ArcaneDoor,” has been actively exploiting three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. The group has been targeting government networks worldwide, focusing on espionage and gaining in-depth knowledge of the compromised devices. While the attack vector used to provide attackers initial access remains unknown, Cisco has provided details on the specific vulnerabilities used during the hacking group’s campaign.