Security News > 2024 > April > ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance and Firepower Threat Defense firewalls since November 2023 to breach government networks worldwide.
The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.
Even though Cisco has not yet identified the initial attack vector, it discovered two security flaws- CVE-2024-20353 and CVE-2024-20359-the threat actors used as zero-days in these attacks.
Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.
Cisco admins are also "Strongly encouraged" to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
Cisco discloses root escalation flaw with public exploit code.
News URL
Related news
- State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) (source)
- Week in review: Two Cisco ASA zero-days exploited, MITRE breach, GISEC Global 2024 (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-24 | CVE-2024-20359 | Code Injection vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. | 6.0 |
| 2024-04-24 | CVE-2024-20353 | Infinite Loop vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. | 8.6 |