A brace of Cisco appliance zero days has been exploited in the wild since November 2023 – the UK’s NCSC warned that it takes a “hard reboot by pulling the power plug from the Cisco ASA” to prevent malware being used in a cyber-espionage campaign from re-installing itself on systems.
CVE-2024-20353 and CVE-2024-20359 have both been exploited in the campaign – the latest this year to see network appliances like firewalls and/or VPNs used to attack the systems they are supposed to defend.
Worryingly, Cisco is still unclear how the initial intrusions took place, but both of the above two CVEs have been used in the advanced attacks.
Such appliances do not typically have endpoint defence and response (EDR) software on them and are black boxes that recent analysis has shown are often built on legacy operating systems and ageing code. Fortinet, Ivanti, and Palo Alto Networks appliances have also been exploited this year.
CISCO ASA zero days: Gov't networks "globally" hit
Cisco has pushed patches for the Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software here.
Victims all “involved government networks globally” Cisco Talos said. It added that: “We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog…”
The NCSC has published detailed advisories on the two primary forms of malware it has seen in the campaign, dubbed Line Dancer and Line Runner. These are, respectively, a “shellcode loader which is the main component of a larger framework of functionality” and a “Lua webshell which is persisted using novel abuse of Cisco ASA WebVPN customisation
Functionality” and which the NCSC said “implements multiple defence evasion techniques to avoid detection and prevent recovery.”
Talos also has detailed analysis of the malware’s behaviour here along with some IOCs and threat hunting guidance. It has not attributed the attacks publicly
Join peers following The Stack on LinkedIn