State-Sponsored Hacking Targets Cisco ASA and FTD Firewalls

Update 4.29.24 3:37PM ET: 

One new detection and one new global report have been released to track ArcaneDoor activity.

Detection: Cisco ASA: ArcaneDoor IOC IP Addresses

• This detection monitors ASA system and traffic logs for connections to IP addresses called out in this article from Cisco Talos.
• This detection is in the process of being deployed to all of our customers sending Cisco ASA logs. This is a default enabled detection.

Report: Cisco ASA: ArcaneDoor Activity Audit

• This global report presents audit events with the specific logcodes called out in this article from the Canadian Center for Cyber Security.

I also wanted to specifically call out that the existing detection, "Cisco ASA: Excessive Authentication Errors" may help identify brute forcing and password spraying against these devices. This is a default disable detection, so you will need to enable this in your Blumira tenant if not already done so.

What Happened?

On April 24th, 2024, Cisco disclosed that a state-sponsored hacking group, dubbed "ArcaneDoor," has been actively exploiting three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023. The group has been targeting government networks worldwide, focusing on espionage and gaining in-depth knowledge of the compromised devices. While the attack vector used to provide attackers initial access remains unknown, Cisco has provided details on the specific vulnerabilities used during the hacking group’s campaign.

How Bad is This?

The ArcaneDoor hacking group has been observed exploiting three zero-day vulnerabilities, CVE-2024-20353, CVE-2024-20358, and CVE-2024-20359 in Cisco ASA and FTD firewalls. They used these vulnerabilities in conjunction with two custom-built tools, "Line Dancer" and "Line Runner," to gain unauthorized access, disable logging, exfiltrate captured packets, and execute arbitrary code on the compromised devices. 

The group's primary objectives appear to be espionage and gaining in-depth knowledge of the targeted devices. They exfiltrated device configuration files, disabled syslog services to cover their tracks, and modified AAA configurations to allow their own devices access to the network.

Severity of the CVEs:

1. CVE-2024-20353 (HIGH): This vulnerability in the management and VPN web servers could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
2. CVE-2024-20359 (HIGH): This vulnerability allows for executing arbitrary code with root-level privileges. The injected code could potentially persist across device reboots, elevating the severity of this vulnerability.
3. CVE-2024-20358 (MEDIUM): Similar to CVE-2024-20359, this vulnerability allows for executing arbitrary code with root-level privileges but is unable to persist through reboots.

What Should I Do?

To mitigate the risk posed by these vulnerabilities, administrators should take the following actions:

1. Patch affected devices as soon as possible. Cisco has released software updates that address these vulnerabilities.
2. Configure logging to a central, secure location to detect and monitor any suspicious activities.
3. Implement Multi-Factor Authentication (MFA) to prevent unauthorized access.
4. Monitor systems for unscheduled reboots, unauthorized configuration changes, and suspicious credential activity.
5. Verify the integrity of ASA and FTD devices using the instructions provided by Cisco in their official advisory.

The ArcaneDoor hacking group's exploitation of zero-day vulnerabilities in Cisco ASA and FTD firewalls highlights the importance of timely patching and maintaining a robust security posture. Administrators should prioritize patching affected devices, implement secure logging and monitoring practices, and follow Cisco's guidance to ensure the integrity of their networks.

For additional information refer to these resources:

• Canadian Centre for Cyber Security: Cyber Activity Impacting CISCO ASA VPNs
• Cisco Event Response: Attacks Against Cisco Firewall Platforms
• Cisco Talos: ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
• Cisco Official Advisory: CVE-2024-20353
• Cisco Official Advisory: CVE-2024-20358
• Cisco Official Advisory: CVE-2024-20359

How Blumira Can Help

Blumira continues to actively monitor this issue, and look for ways that we can detect any stage of exploitation of these vulnerabilities.

If you are an MSP and not already using Blumira, please submit a request for a “free for internal use” NFR account.

Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.