Hackers with ties to a nation-state have been carrying out a targeted and sophisticated attack campaign against Cisco firewalls. These attacks, which have been ongoing for the past five months, have exploited two zero-day vulnerabilities in Cisco’s Adaptive Security Appliances firewalls. The hackers have been successful in breaking into government networks around the world, highlighting the serious security risks that organizations face.
This campaign is part of a broader trend of network compromises that target firewalls, VPNs, and other network-perimeter devices. These devices are appealing targets for hackers because they provide direct access to a network’s most sensitive resources and handle all incoming communications. Over the past 18 months, there have been multiple attacks on security appliances from various vendors, including Ivanti, Atlassian, Citrix, and Progress. These attacks have been primarily attributed to threat actors backed by the Chinese government.
Cisco’s ASA products are the latest to be targeted in these attacks. Since November, an unknown actor, identified as UAT4356 by Cisco and STORM-1849 by Microsoft, has been exploiting two zero-day vulnerabilities in these firewalls. These vulnerabilities allow the hackers to install two previously unseen malware strains. The attacks also exhibit several distinct characteristics, such as an advanced exploit chain that targets multiple vulnerabilities, the use of mature backdoors, and meticulous efforts to cover their tracks.
Based on the targeted nature of the attacks, the specific focus on government networks, and the level of sophistication involved, researchers at Cisco’s Talos security team have assessed that these attacks are the work of a state-sponsored actor with espionage objectives. The researchers also believe that other devices besides the ASA may be targeted as part of this campaign. They highlight the fact that it is still unknown how UAT4356 gained initial access, suggesting that other unknown vulnerabilities in network wares from Microsoft and other vendors may have been exploited.
To mitigate the risks posed by this ongoing campaign, Cisco has released security updates to patch the vulnerabilities in their ASA products. They are urging all ASA users to promptly install these updates. However, the researchers emphasize that security measures should not be limited to a specific vendor or product. They recommend that organizations ensure that all network devices are properly patched, configured with strong multi-factor authentication, and have logging enabled to a centralized and secure location.
The UAT4356 threat group began its campaign as early as July when it started developing and testing the exploits. By November, the group had set up dedicated server infrastructure for the attacks, which were launched in January. The timeline indicates the level of planning and preparation that went into this operation.
One of the zero-day vulnerabilities exploited by UAT4356 is tracked as CVE-2024-20359. This vulnerability is found in a retired capability of the ASA that allows for the preloading of VPN clients and plug-ins. It results from improper validation of files read from the flash memory of a vulnerable device and enables remote code execution with root system privileges. UAT4356 is using this vulnerability to install the backdoors known as Line Dancer and Line Runner. In some cases, the group is also leveraging CVE-2024-20353, another ASA vulnerability with a high severity rating, to install these backdoors.
In conclusion, the ongoing campaign exploiting zero-day vulnerabilities in Cisco firewalls is a significant threat to government networks and organizations across the world. The level of sophistication and the use of previously unseen malware strains indicate the involvement of a state-sponsored actor. It is crucial for organizations to take immediate action by patching their ASA devices and implementing strong security measures across their network infrastructure. Additionally, continuous monitoring and timely response to emerging threats are essential to ensure the security and integrity of critical systems and data.
Source link
