Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms

Cisco warns that nation state-backed hackers are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks.

Cisco zero-day CVE-2023-20109 exploited

Technology giant Cisco on Wednesday warned that professional, nation state-backed hacking teams are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks.

According to an advisory from Cisco Talos, the attackers are taking aim at software defects in certain devices running Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) products to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

The campaign, tagged as ArcaneDoor, uses exploits for two documented software bugs (CVE-2024-20353 and CVE-2024-20359) in the Cisco products but the company’s malware hunters still aren’t sure how the attackers broke in.

“We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date,” Cisco Talos said.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns,” Cisco explained, noting that gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. 

Cisco said an unnamed customer notified its PSIRT team in early 2024 about “security concerns” in ASA firewall products, kickstarting an investigation that led to the discovery of the threat actor (tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center). 

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” the company said.

Cisco said it observed the hacking team deploying two backdoors that are collectively used to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.  

Advertisement. Scroll to continue reading.

“Working with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers,” the company warned.

Cisco’s researchers say network telemetry and information from intelligence partners indicate the hackers are interested in poking at network devices from Microsoft and other vendors. 

“Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” Cisco said.

Related: MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days

Related: Thousands of Palo Alto Firewalls Impacted by Exploited Vulnerability 

Related: Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations 

Related: Gov-Backed Hackers Exploit Zero-Day to Backdoor Palo Alto Firewalls

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights