State actors exploited two vulnerabilities in ASA and FTD firewalls to breach government networks - Security Affairs

The state actor UAT4356 has been exploiting two zero-day vulnerabilities in ASA and FTD firewalls since November 2023 to hack government networks. Cisco Talos warned that the state actor UAT4356 (also known as STORM-1849) has been using two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide. Cisco Talos researchers have tracked this cyber espionage campaign under the name ArcaneDoor.

Investigation and detection

At the beginning of 2024, a client contacted Cisco to report suspicious activities related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos began an investigation to support the client. Experts discovered that the group UAT4356 had installed two backdoors, named "Line Runner" and "Line Dancer," respectively. Cisco reported that the complex attack chain used by the attackers affected a small number of clients.

Description of zero-day attacks

Experts have not yet determined the initial attack vector, but have learned that attackers exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-day vulnerabilities in these attacks. Line Dancer is an in-memory implant that acts as a shellcode interpreter that allows adversaries to execute arbitrary loads of shellcode in memory.

Actions of the perpetrators

On compromised ASA devices, attackers use the host-scan-reply field to deliver shell code, bypassing the need to exploit CVE-2018-0101. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication.

Consistency and control

Line Runner allows attackers to maintain persistence on compromised ASA devices. It uses an old ability related to VPN client preloading, running at boot time while searching for a specific file pattern on disk0:. Upon discovery, it unzips and executes a Lua script, providing persistent access to an HTTP-based backdoor. This backdoor survives reboots and updates, allowing threats to maintain control.

Warning from Cisco

"ArcaneDoor is a campaign that represents the latest example of state-sponsored actors targeting perimeter network devices from multiple manufacturers. These perimeter devices are highly desirable for such actors as an ideal point to infiltrate the network for espionage campaigns. They need to be regularly and timely patched; modern hardware and software should be used, and they must be carefully monitored from a security perspective," states a warning published by Cisco, which also includes indicators of compromise (IOCs). "Once able to operate on these devices, an attacker can directly assert themselves within the organization, redirect or alter traffic, and control network communications."

Pierluigi PaganiniFollow me on Twitter:@securityaffairsand Facebook and Mastodon (SecurityAffairs - hacking, ASA). Make me an answer in this format: '{text}'