On April 24, 2024, Cisco Talos and several government security agencies published details on a sophisticated threat campaign focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure. As part of that publication, Cisco disclosed CVE-2024-20353 and CVE-2024-20359, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, which were actively exploited in the documented campaign.
While the initial access vector has not yet been identified in this campaign, Cisco is continuing to investigate the possibility of an unauthenticated Remote Code Execution (RCE) vulnerability. Arctic Wolf Labs is monitoring for further developments related to this threat activity.
Vulnerabilities
According to Cisco, the following vulnerabilities were abused by the threat actor to establish persistence on targeted devices:
CVE-2024-20353: Denial-of-Service (DoS) – Allows an unauthenticated, remote attacker to cause a device to reload unexpectedly, leading to a DoS condition.
CVE-2024-20359: Persistent Local Code Execution – Allows an authenticated, local attacker to execute arbitrary code with root-level privileges, provided they have administrator-level privileges.
At this stage in their investigation, Cisco has not yet identified an unauthenticated vulnerability allowing for RCE. Arctic Wolf has not identified proof of concept (PoC) exploits for these vulnerabilities at this time.
Malware
The campaign documented by Cisco involved the deployment of several malware implants to conduct malicious activities, including configuration modification, network traffic capture, and lateral movement.
- Line Dancer: A memory-resident shellcode loader that enables the execution of arbitrary payloads on compromised devices. Capabilities include the ability to disable logging, exfiltrate sensitive data, execute CLI commands, manipulate crash dump processes to evade forensic analysis, and establish remote access VPN tunnels bypassing authentication mechanisms.
- Line Runner: A persistent backdoor installed on compromised devices. Line Runner complements Line Dancer by establishing a persistent HTTP-based Lua backdoor, allowing threat actors to retrieve information staged through Line Dancer.
Recommendations for CVE-2024-20353 and CVE-2024-20359
Use the Cisco Software Checker to Identify Correct Version for your Upgrade Path of Cisco ASA/FTD
Cisco provides a tool identified as Cisco Software Checker to help its customers determine their exposure to vulnerabilities in Cisco ASA, FMC, and FTD Software. This tool detects Cisco security advisories affecting a particular software release, pinpointing the initial release that addresses the vulnerabilities outlined in each advisory. Additionally, it provides information on the earliest release that resolves all vulnerabilities outlined across multiple advisories.
Arctic Wolf recommends upgrading to the fixed versions of Cisco ASA and FTD Software as provided by Cisco to address these vulnerabilities and mitigate the persistence of the documented webshell implants.
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Review Security Best Practices for Cisco ASA/FTD Devices
The Communications Security Establishment of Canada provides general hardening guidance for Cisco ASA/FTD devices, including:
- Restrict internal unencrypted traffic through gateway devices, including unencrypted SMB traffic. SMBv3 should be used at a minimum.
- Limit privileges on AD accounts used on edge devices such as firewalls.
- Limit use of SSL/TLS for VPN connectivity and consider using IPSec instead.
- Implement geofencing where possible to limit attack surface.
For more details on hardening recommendations, see the advisory provided by CSE.
