Technology giant Cisco on Wednesday warned that professional, nation state-backed hacking teams are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks.
According to an advisory from Cisco Talos, the attackers are taking aim at software defects in certain devices running Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) products to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
The campaign, tagged as ArcaneDoor, uses exploits for two documented software bugs (CVE-2024-20353 and CVE-2024-20359) in the Cisco products but the company’s malware hunters still aren’t sure how the attackers broke in.
“We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date,” Cisco Talos said.
“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns,” Cisco explained, noting that gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.
Cisco said an unnamed customer notified its PSIRT team in early 2024 about “security concerns” in ASA firewall products, kickstarting an investigation that led to the discovery of the threat actor (tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center).
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” the company said.
Cisco said it observed the hacking team deploying two backdoors that are collectively used to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
“Working with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers,” the company warned.
Cisco’s researchers say network telemetry and information from intelligence partners indicate the hackers are interested in poking at network devices from Microsoft and other vendors.
“Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” Cisco said.
Related: MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days
Related: Thousands of Palo Alto Firewalls Impacted by Exploited Vulnerability
Related: Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations
Related: Gov-Backed Hackers Exploit Zero-Day to Backdoor Palo Alto Firewalls
