Sunday, November 10, 2024
HomeCiscoHackers Exploit Cisco Firewall Zero-Days to Hack Government Networks

Hackers Exploit Cisco Firewall Zero-Days to Hack Government Networks

Published on

Malware protection

Security researchers at Cisco Talos have uncovered a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 (STORM-1849).

This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls.

The attack chain leveraged two custom malware implants – “Line Dancer” and “Line Runner” – to gain persistent access and remote control over compromised ASA devices.

- Advertisement - SIEM as a Service

Line Dancer was an in-memory shellcode interpreter that enabled executing arbitrary payloads, while Line Runner provided a persistent backdoor by abusing a legacy VPN client pre-loading functionality.

“Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While Cisco researchers have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) that were abused in this campaign.”

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Initial Compromise and Line Dancer Implant

The initial attack vector used to compromise ASA firewalls remains unknown. However, once access was obtained, the hackers deployed the Line Dancer implant – a memory-resident shellcode interpreter.

This allowed them to upload and execute malicious payloads via the host-scan-reply field of the SSL VPN session establishment process.

Line Dancer provided the capability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.

It hooked critical functions like crash dumps to hinder forensic analysis and rebooted devices to remove itself from memory.

Persistent Line Runner Backdoor

To maintain access, the hackers exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install the Line Runner persistent backdoor.

This leveraged a legacy feature that allowed pre-loading VPN client bundles on ASAs.

Line Runner consisted of Lua scripts that created a hidden directory, planted a web content file acting as a backdoor, and modified system scripts to copy a malicious ZIP file for execution on every boot.

The threat actor’s ZIP file has the following files: 

This gave the attackers a persistent HTTP-based backdoor that survived software upgrades and reboots.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..


Anti-Forensics and Attribution

The ArcaneDoor campaign demonstrated advanced anti-forensics capabilities, modifying core dump functions, disabling logging, and hooking authentication processes to hide their activities.

These operational security measures, combined with developing bespoke malware implants and chaining of zero-days, strongly suggest a state-sponsored threat actor.

While Cisco has released patches for the exploited vulnerabilities, organizations should urgently update their ASA firewalls and follow the recommended incident response procedures to detect and remediate potential compromises from this campaign.

Perimeter network devices like firewalls are lucrative targets for espionage actors because they provide a direct intrusion point into sensitive networks.

The ArcaneDoor campaign underscores the importance of prompt patching, secure configurations, and proactive monitoring of such critical infrastructure components.

Combat Email Threats with Free Phishing Simulations: Email Security Awareness Training ->Try Free Demo 

Indicators of Compromise

Likely Actor-Controlled Infrastructure: 

192.36.57[.]181 
185.167.60[.]85 
185.227.111[.]17 
176.31.18[.]153 
172.105.90[.]154 
185.244.210[.]120 
45.86.163[.]224 
172.105.94[.]93 
213.156.138[.]77 
89.44.198[.]189 
45.77.52[.]253 
103.114.200[.]230 
212.193.2[.]48 
51.15.145[.]37 
89.44.198[.]196 
131.196.252[.]148 
213.156.138[.]78 
121.227.168[.]69 
213.156.138[.]68 
194.4.49[.]6 
185.244.210[.]65 
216.238.75[.]155  

Multi-Tenant Infrastructure: 

5.183.95[.]95 
45.63.119[.]131 
45.76.118[.]87 
45.77.54[.]14 
45.86.163[.]244 
45.128.134[.]189    
89.44.198[.]16 
96.44.159[.]46 
103.20.222[.]218 
103.27.132[.]69 
103.51.140[.]101 
103.119.3[.]230 
103.125.218[.]198 
104.156.232[.]22 
107.148.19[.]88 
107.172.16[.]208 
107.173.140[.]111 
121.37.174[.]139 
139.162.135[.]12 
149.28.166[.]244 
152.70.83[.]47 
154.22.235[.]13 
154.22.235[.]17 
154.39.142[.]47  
172.233.245[.]241 
185.123.101[.]250 
192.210.137[.]35  
194.32.78[.]183 
205.234.232[.]196  
207.148.74[.]250 
216.155.157[.]136 
216.238.66[.]251 
216.238.71[.]49 
216.238.72[.]201 
216.238.74[.]95 
216.238.81[.]149 
216.238.85[.]220 
216.238.86[.]24  

Update: Cisco has released updates for Zero Day vulnerabilities; more details can be found here.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...