Cisco Firewall Vulnerabilities: Urgent Action Needed to Protect Against State-Sponsored Espionage - Cyber and Fraud Centre

Businesses and organisations relying on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) firewalls are being advised to take immediate action to protect themselves from a sophisticated cyber-attack campaign dubbed ArcaneDoor. This campaign is reportedly being conducted by a state-sponsored espionage group.

What is ArcaneDoor?

ArcaneDoor leverages three newly discovered critical vulnerabilities in Cisco ASA and FTD firewalls:

CVE-2024-20353: Allows remote attackers to trigger a system crash, causing disruption.
CVE-2024-20358: Allows local attackers to execute commands with system-level privileges, potentially leading to full device control.
CVE-2024-20359: Allows local attackers to execute code with system-level privileges for further compromise.

The first two vulnerabilities are known to be actively exploited in the ongoing campaign.

The attacks involve a two-stage process facilitated by the zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359).

Initial Breach: The attackers find an unpatched Cisco firewall and exploit the vulnerabilities. The exact method of gaining initial access remains unknown.
Deployment of Implants: Two custom malware implants are loaded on the compromised firewall:
- Line Dancer (in-memory backdoor): Disables logging, collects network traffic, and allows the attackers to run additional code.
- Line Runner (persistent backdoor): Survives reboots and upgrades, providing the attackers with lasting access to the network.

What are the Risks?

Network Disruption: The denial-of-service flaw (CVE-2024-20353) could be used to disrupt business operations.
Further Intrusion: The backdoors act as a launchpad for attackers to move deeper into the organisation’s network.
Disruption: The potential for data exfiltration and system disruption can harm operations and business reputation.

What You Can Do

Patch Immediately: Cisco has released security updates addressing these vulnerabilities. Apply these patches as soon as possible.
Monitor for Compromise: Review firewall logs for signs of unusual activity. The UK National Cyber Security Centre (NCSC), the US Cyber Security and Infrastructure Security Agency (CISA), and Cisco have published guidance and malware reports to help detect attacks.
Limit Administrator Access: Restrict administrator privileges on Cisco ASA and FTD devices to the minimum number of accounts necessary.

Additional Recommendations

Review Firewall Configurations: Ensure your firewall is configured securely and in line with industry best practices.
Threat Hunting: Conduct regular threat hunts for signs of intrusion within your network.
Incident Response: Have a robust incident response plan in place if a breach is suspected.

This attack highlights the importance of maintaining up-to-date security. It’s also a reminder that firewalls, while essential, should not be seen as impenetrable. Regular patching, monitoring, and a strong incident response plan are crucial for a robust cyber security strategy.