H-ISAC TLP White Threat: Vulnerabilities Observed in Exploit Campaign Affecting Cisco ASA and FTD Software

On April 24, 2024, Cisco released security advisories regarding the abuse of vulnerabilities (CVE-2024-20353 and CVE-2024-20359) identified in campaigns targeting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The malicious activity, dubbed ArcaneDoor, is an operation enacted by state-sponsored threat actors targeting perimeter network devices from multiple vendors. The threat actors intentions behind the operation are likely to pivot into organizations, reroute or modify traffic, and monitor network communications after exploiting affected perimeter network devices.

CVE-2024-20353 is a vulnerability affecting the management and VPN web servers for Cisco Adaptive Security Appliance software and Cisco Firepower Threat Defense software allowing an unauthenticated, remote attacker to negatively impact the uptime of the device by causing unexpected reloads, resulting in a denial of service (DoS) condition.

CVE-2024-20359 is a vulnerability impacting a legacy capability that preloads VPN clients and plug-ins for Cisco Adaptive Security Appliance software and Cisco Firepower Threat Defense software allowing an authenticated, local attacker to execute arbitrary code with escalated privileges. Administrator-level privileges are required to exploit this vulnerability.

According to investigations that took place earlier this year, invoked by a series of events, the activity in question was attributed to a threat actor now identified as UAT4356 and STORM1849 by Cisco Talos and the Microsoft Threat Intelligence Center, respectively. The  threat actor demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted. 

Further analysis of the threat group’s operations revealed the deployment of two backdoors identified as Line Runner and Line Dancer which were used collectively to conduct targeted actions, including configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.

Although the initial attack vectors have yet to be determined, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of users. 

Users are strongly advised to follow guidance provided in the full report available here.

View the detailed bulletin below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member
Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity