Tag: cisco | SpinSafe

Flawed Cisco firewalls used to target government networks

April 26, 2024/in Computer Security

A Cisco Talos investigation has uncovered a state-affiliated cyber espionage campaign exploiting two Cisco zero days to plant malware on critical government networks.

The campaign, known as ArcaneDoor, targets perimeter network devices, using them to gain a foothold on the target network, at which point they can start distributing malware, stealing information, and spreading throughout the organization.

Cisco said perimeter network devices are the perfect intrusion point for espionage-focused threat actors, due to their position as a throughpoint for vast amounts of data coming in and out of the network.

Researchers first became aware of the campaign in January 2024, finding evidence that the group, being tracked as UAT4356 or STORM-1849, had been testing and developing exploits to target the two zero days since at least July 2023.

While Cisco was unable to identify the initial attack vector used by the group, it said it has issued two fixes for two vulnerabilities exploited in the attacks.

What Cisco products were used in the attacks?

The two zero days exploited pertain to two Cisco firewall products, its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) solutions.

The first vulnerability, CVE-2024-20353, is a denial of service flaw that affects devices running one or both of Cisco’s ASA or FTD products, caused by incomplete error checking when parsing HTTP headers.

Cisco warned attackers can use crafted HTTP requests to a web server on a device, and if successful the attacker could cause a denial of service error when it reloads.

CVE-2024-20359, is a persistent local code execution vulnerability which if correctly leveraged could allow a local attacker to execute arbitrary code with root-level privileges.

Although the attacker would need administrator-level privileges to exploit the flaw, Cisco explained that because the injected code could persist across device reboots, it raised the Security Impact Rating (SIR) of its advisory from medium to high.

Focus on surveillance and post-compromise…

Source…

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

April 25, 2024/in Internet Security

Apr 25, 2024NewsroomVulnerability / Zero-Day

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.

Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).

“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Talos said.

The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities –

CVE-2024-20353 (CVSS score: 8.6) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability

CVE-2024-20359 (CVSS score: 6.0) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

It’s worth noting that a zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The exact initial access pathway used to breach the devices is presently unknown, although UAT4356 is said to have started preparations for it as early as July 2023.

A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an…

Source…

Governments issue alerts after ‘sophisticated’ state-backed actor found exploiting flaws in Cisco security boxes • The Register

April 25, 2024/in Computer Security

A previously unknown and “sophisticated” nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.

These cyber-spy campaigns, dubbed “ArcaneDoor” by Cisco, were first spotted in early January and revealed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the globe, according to a joint advisory issued by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC).

A Cisco spokesperson declined to comment on which country the snooping crew – tracked as UAT4356 by Talos and as STORM-1849 by Microsoft – is affiliated with. The disclosures, however, come as both Russian and China-backed hacking groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco gear.

The mysterious nation-state group “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” according to a Talos report published today.

The attacks exploit two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, and the networking giant issued fixes for both on Wednesday, plus a fix for a related flaw.

CVE-2024-20353 is a high-severity vulnerability in the management and VPN web servers for Cisco ASA and FTD devices, and could allow an unauthenticated, remote attacker to cause the machines to reload unexpectedly, resulting in a denial of service (DoS) attack. It received an 8.6 CVSS rating.

Two other flaws, CVE-2024-20359 and CVE-2024-20358 received a 6.0 CVSS score, and could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Exploiting either, however, requires administrator-level privileges.

Cisco says it hasn’t yet…

Source…

Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

February 18, 2024/in Internet Security

Feb 16, 2024NewsroomRansomware / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it’s being likely exploited in Akira ransomware attacks.

The vulnerability in question is CVE-2020-3259 (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was patched by Cisco as part of updates released in May 2020.

Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year.

“There is no publicly available exploit code for […] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to buy or produce exploit code themselves, which requires deep insights into the vulnerability,” security researcher Heresh Zaremand said.

According to Palo Alto Networks Unit 42, Akira is one of the 25 groups with newly established data leak sites in 2023, with the ransomware group publicly claiming nearly 200 victims. First observed in March 2023, the group is believed to share connections with the notorious Conti syndicate based on the fact that the ransom proceeds have been routed to Conti-affiliated wallet addresses.

In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, putting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72).

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by March 7, 2024, to secure their networks against potential threats.

CVE-2020-3259 is far from the only flaw to be exploited for delivering ransomware. Earlier this month, Arctic Wolf Labs revealed the abuse of CVE-2023-22527 – a recently uncovered shortcoming in Atlassian Confluence Data Center and Confluence Server – to deploy C3RB3R…

Source…

Tag Archive for: cisco