April 24, 2024 at 02:09PM
Cisco issued a warning about professional, nation state-backed hackers exploiting two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks. The campaign, known as ArcaneDoor, aims to exploit software defects in Cisco products, potentially exfiltrate data, and execute commands. Cisco recommended ensuring proper patching, logging, and strong authentication.
Based on the meeting notes, the major takeaways are:
1. Professional, nation state-backed hacking teams are exploiting zero-day vulnerabilities in Cisco’s ASA firewall platforms to plant malware on telecommunications and energy sector networks.
2. The campaign, known as ArcaneDoor, targets software defects in devices running Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. The attackers use exploits for two documented software bugs (CVE-2024-20353 and CVE-2024-20359) in the Cisco products.
3. The attackers’ initial access vector used in this campaign has not been determined, and there is no evidence of pre-authentication exploitation to date.
4. The threat actor responsible for this malicious activity has been tracked as UAT4356 by Cisco Talos and STORM-1849 by the Microsoft Threat Intelligence Center.
5. The attackers are deploying backdoors for conducting malicious actions on targeted devices, including configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.
6. Cisco uncovered a sophisticated attack chain used to implant custom malware and execute commands across a small set of customers.
7. Network telemetry and information from intelligence partners indicate that the hackers are interested in network devices from Microsoft and other vendors.
8. All organizations are advised to ensure that their network devices are properly patched, logging to a central, secure location, and configured with strong, multi-factor authentication (MFA) regardless of the equipment provider.
Please let me know if you need any further information or if there are specific action items to be addressed.