Flawed Cisco firewalls used to target government networks
A Cisco Talos investigation has uncovered a state-affiliated cyber espionage campaign exploiting two Cisco zero days to plant malware on critical government networks.
The campaign, known as ArcaneDoor, targets perimeter network devices, using them to gain a foothold on the target network, at which point they can start distributing malware, stealing information, and spreading throughout the organization.
Cisco said perimeter network devices are the perfect intrusion point for espionage-focused threat actors, due to their position as a throughpoint for vast amounts of data coming in and out of the network.
Researchers first became aware of the campaign in January 2024, finding evidence that the group, being tracked as UAT4356 or STORM-1849, had been testing and developing exploits to target the two zero days since at least July 2023.
While Cisco was unable to identify the initial attack vector used by the group, it said it has issued two fixes for two vulnerabilities exploited in the attacks.
What Cisco products were used in the attacks?
The two zero days exploited pertain to two Cisco firewall products, its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) solutions.
The first vulnerability, CVE-2024-20353, is a denial of service flaw that affects devices running one or both of Cisco’s ASA or FTD products, caused by incomplete error checking when parsing HTTP headers.
Cisco warned attackers can use crafted HTTP requests to a web server on a device, and if successful the attacker could cause a denial of service error when it reloads.
CVE-2024-20359, is a persistent local code execution vulnerability which if correctly leveraged could allow a local attacker to execute arbitrary code with root-level privileges.
Although the attacker would need administrator-level privileges to exploit the flaw, Cisco explained that because the injected code could persist across device reboots, it raised the Security Impact Rating (SIR) of its advisory from medium to high.