Security News > 2024 > April > Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances used on government networks across the globe and use two zero-day vulnerabilities to install backdoors on them, Cisco Talos researchers have shared on Wednesday.
"On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with 'client-services' or HTTPS management access," the researchers explained.
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Organizations using Cisco ASA are advised to implement the patches as soon as possible as there are no workarounds that can address the two vulnerabilities.
Cisco researchers worked on analyzing these attacks with the help of several companies and governmental cybersecurity agencies from the US, Canada, Australia and the UK. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," the researchers noted.
"Further, network telemetry and information from intelligence partners indicate the actor is interested in - and potentially attacking - network devices from Microsoft and other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication," Cisco Talos warned.
News URL
https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/
Related news
- Qualcomm zero-day under targeted exploitation (CVE-2024-43047) (source)
- Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) (source)
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) (source)
- Cisco takes DevHub portal offline after hacker publishes stolen data (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
- Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack (source)
- Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-24 | CVE-2024-20359 | Code Injection vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. | 6.0 |
| 2024-04-24 | CVE-2024-20353 | Infinite Loop vulnerability in Cisco Adaptive Security Appliance Software A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. | 8.6 |