Cisco and the Dutch NCSC warn of critical vulnerabilities in Cisco firewall systems. Through the vulnerabilities, unknown cyber criminals managed to use malware for espionage purposes. Cisco has released updates to resolve the issues.
The vulnerabilities are in Cisco Adaptive Security Apppliance, or ASA, and in Cisco Firepower Threat Defense, or FTD, the Cisco Talos security team said in a blog. Two vulnerabilities, tracked as CVE-2024-20353 and CVE-2024-20359, allow cyber criminals to conduct denial-of-service attacks and remotely execute arbitrary code with root privileges. The remote code execution error requires admin rights.
The vulnerabilities were discovered after a Cisco customer contacted the company in early 2024 with concerns surrounding the security of Cisco ASA. An investigation was launched, uncovering a sophisticated attack chain that Talos has dubbed 'ArcaneDoor'. This attack chain was deployed by a previously unknown party, which has been given the name 'UAT4356'. Although it has not been discovered how the attackers gain access to the firewalls, it is clear that the vulnerabilities are being exploited to install two backdoors, which Cisco calls 'Line Runner' and 'Line Dancer'. The attackers change the firewall configuration there, collect network traffic and can move laterally through the network.
According to Talos, government organizations are mainly targeted. The security team also says that the attackers use tools that indicate cyber espionage and in-depth knowledge of the devices they attack. According to Talos, these are 'hallmarks of an advanced state-sponsored' party. Talos does not say which country sponsors the attackers.
The attackers have been working on ArcaneDoor for months. According to Talos, they started testing the attack in July, and the first real attacks were seen in November. In any case, the Australian government says it has become a victim. Several firewalls have been compromised there. In the Netherlands, the NCSC has issued a warning about the vulnerabilities, which are considered very critical.
Cisco has released patches that resolve the vulnerabilities. In addition, Cisco provides a step-by-step plan on its website and in the Talos blog to check whether ASA or FTD devices have been attacked. For compromised systems, Cisco has provided measures to restore them.