In a joint advisory released by cybersecurity agencies across Canada, Australia, and the United Kingdom, IT professionals and managers in government and critical sectors are alerted to sophisticated cyber-attacks targeting CISCO ASA VPN devices.

Background on the Cyber Threat

The Canadian Centre for Cyber Security and its international counterparts have been monitoring a series of cyber-attacks since early 2024.

These incidents have primarily affected CISCO ASA devices, specifically the ASA55xx series running firmware versions 9.12 and 9.14.

The attacks believed to be espionage efforts by a state-sponsored actor, have not shown signs of prepositioning for a disruptive or destructive network attack.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

However, the level of sophistication observed is a cause for concern.

CVE Details and Impact

CVE-2024-20359

The first vulnerability identified is CVE-2024-20359, allowing persistent local code execution.

This flaw enables attackers to maintain a presence on the affected device even after it has been rebooted.

CVE-2024-20353

The second vulnerability, CVE-2024-20353, can lead to a denial of service within the Cisco Adaptive Security Appliance and Firepower Threat Defense Software’s web services.

This vulnerability could be exploited to disrupt operations and deny access to network resources.

Malicious actors have exploited both vulnerabilities to gain unauthorized access through WebVPN sessions, often associated with Clientless SSLVPN services.

The agencies have not disclosed any specific hacker groups involved, but the capabilities point to a well-resourced and sophisticated actor.

Exploiting these vulnerabilities poses a significant risk to organizations that rely on the affected CISCO ASA VPN devices.

Unauthorized access to these devices can lead to data breaches, espionage, and potentially a foothold for future attacks against critical infrastructure.

Mitigation Strategies

In response to these threats, the advisory encourages organizations to:

• Review logs for unknown, unexpected, or unauthorized device access or changes.
• Update affected devices to the latest firmware versions as soon as possible.
• Visit the Cisco Security Advisories portal and the Cisco Talos Blog for additional information and guidance on mitigation.
• Implement network segmentation and access control lists to limit the traffic allowed to and from the affected devices.
• Employ multi-factor authentication to access VPNs and reduce the risk of unauthorized access.

The alert serves as a reminder of the ever-present cyber threats facing organizations and the importance of maintaining robust cybersecurity practices.

As the situation develops, further updates and recommendations are expected to be issued by the involved cybersecurity agencies.

Update: Cisco has released updates for Zero Day vulnerabilities; more details can be found here.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo