Cisco reported two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls that have been exploited by a state-backed hacking group known as UAT4356 or STORM-1849. These vulnerabilities have been under attack since November 2023 as part of a cyber-espionage campaign called ArcaneDoor.
The vulnerabilities identified and patched by Cisco are CVE-2024-20353, which could cause a denial of service, and CVE-2024-20359, which allowed persistent local code execution. These security flaws enabled attackers to install malware and maintain control over the compromised ASA and FTD devices. The attacks involved sophisticated bespoke tooling aimed at espionage, showcasing the attackers' deep knowledge of the targeted systems.
Two specific types of malware were deployed through these vulnerabilities:
- Line Dancer: An in-memory shellcode loader used to execute arbitrary shellcode payloads, which facilitated actions such as disabling logging, providing remote access, and packet exfiltration.
- Line Runner: A persistent backdoor that allowed execution of arbitrary Lua code and included several defense evasion mechanisms to avoid detection.
These tools enabled the hackers to modify system configurations for espionage purposes, including capturing and exfiltrating network traffic, modifying device configurations to provide controlled access to actor-specific devices, and potentially conducting lateral movements within the network.
Following the discovery of these exploits, Cisco released security updates to mitigate the vulnerabilities and has strongly recommended that all users update their devices promptly.