Two vulnerabilities, CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution), were leveraged to create backdoors by a state-sponsored cyber-espionage group, ArcaneDoor, in Cisco firewalls. Review the recommendations in this Cybersecurity Threat Advisory to protect your firewall appliances now.
What is the threat?
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls had two critical vulnerabilities exploited:
- CVE-2024-20353: Denial-of-Service (DoS) vulnerability. Allows attackers to disrupt services on the targeted firewall, potentially leading to a system crash or reboot, providing an opportunity for further exploitation.
- CVE-2024-20359: Persistent local code execution vulnerability. Enables attackers to execute arbitrary code with root-level privileges, giving them complete control over the compromised device. This allows for the installation of backdoors, exfiltration of sensitive data, and further exploitation of the network.
Why is it noteworthy?
The campaign leverages two zero-day vulnerabilities, indicating a high level of sophistication and suggesting the involvement of a well-resourced threat actor, likely state-sponsored. The attacks focus on network perimeter devices crucial for data transfer and security, highlights the potential for widespread impact, and underscores the importance of promptly patching and securing these devices. The use of custom malware and advanced techniques like memory-resident implants and evasion tactics further emphasize the severity and the need for heightened vigilance.
What is the exposure or risk?
The vulnerabilities exploited in the ArcaneDoor campaign affect ASA and FTD firewalls which are critical components in network security. If leveraged, these vulnerabilities could allow attackers to gain unauthorized access to sensitive network configurations, intercept and modify network traffic, and execute arbitrary code with elevated privileges. This could lead to further compromise of internal networks, data theft, and disruption of critical services. Organizations using affected Cisco devices are at high risk of damage due to the potential for extensive network compromise and data exfiltration.
What are the recommendations?
Barracuda MSP recommends the following actions to protect your firewall appliances against this threat:
- Apply the security patches provided by Cisco to fix the CVE-2024-20353 and CVE-2024-20359 vulnerabilities.
- Enable strong, multi-factor authentication (MFA) on all network devices, including Cisco ASA and FTD firewalls.
- Monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
- Regularly update hardware and software to the latest versions.
References
For more in-depth information about the recommendations, please visit the following links:
- https://securityaffairs.com/162244/apt/nation-state-actors-exploited-two-zero-days-in-asa-and-ftd-firewalls-to-breach-government-networks.html
- https://thehackernews.com/2024/04/state-sponsored-hackers-exploit-two.html
- https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
