April 24, 2024 at 01:10PM
Cisco warns of state-backed hacking involving zero-day vulnerabilities in ASA and FTD firewalls used to infiltrate government networks globally. The cyber-espionage campaign, known as ArcaneDoor, targeted vulnerable edge devices since November 2023. Cisco discovered and fixed two zero-days – CVE-2024-20353 and CVE-2024-20359 – and urges customers to upgrade their devices for protection.
Key Takeaways from Meeting Notes:
1. State-backed hacking group exploiting zero-day vulnerabilities in Cisco firewalls since November 2023.
2. Hacker group identified as UAT4356 (by Cisco Talos) and STORM-1849 (by Microsoft), targeting government networks in cyber-espionage campaign named ArcaneDoor.
3. Two zero-day vulnerabilities identified by Cisco – CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution) used by threat actors.
4. Exploited vulnerabilities allowed deployment of malware implants, Line Dancer and Line Runner, enabling remote access, disabling logging, exfiltrating packets, and running arbitrary code on compromised systems.
5. Cisco urges customers to upgrade their devices with security updates to fix zero-day vulnerabilities and monitor system logs for any signs of unauthorized activity.
6. Earlier warnings included large-scale brute-force attacks targeting VPN and SSH services on various devices and guidance on mitigating password-spraying attacks targeting Remote Access VPN (RAVPN) services on Cisco Secure Firewall devices.