Introduction

The National Cyber Coordination and Command Centre (NC4) continuously monitors the cyber security threat level in Malaysia. In view of the recent threat advisory from Cisco Talos regarding the active exploitation of vulnerabilities on their firewall platform, NC4 would like to remind System Administrators to implement sufficient cyber security measures to ensure that devices, systems, and network perimeters are secure and practice good cyber hygiene.

Impact

Data exfiltration, denial of service, loss of data integrity, malware infection

Brief Description

Cisco Product Security Incident Response Team (PSIRT) has discovered a series of attacks aimed at specific devices running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defence (FTD) Software. These attacks aimed to implant malware, execute commands, and potentially steal data from the affected devices.

The attack campaign has been named as “ArcaneDoor”. Even though Cisco has not yet determined the initial attack vector, the listed vulnerabilities below could potentially be exploited by an attacker to install malware and gain control over a compromised device. It is observed by Cisco that the attacker actively exploited CVE-2024-20353 and CVE-2024-20359 in their attack campaign.

CVE-2024-20353: A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) software could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. 

CVE-2024-20358: A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

CVE-2024-20359: A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins which has been available in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) software could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. 

The NC4 will continue to monitor for any impact of these vulnerabilities in Malaysia.

Affected Product

Devices and appliances that were running:

• Cisco Adaptive Security Appliance (ASA) Software
• Cisco Firepower Threat Defense (FTD) Software

Cisco FTD is only affected by CVE-2024-20358 when lockdown mode is enabled to restrict Linux shell access. Note that lockdown mode is disabled by default.

Recommendation

Organisations are advised to be vigilant and to take the following actions:

1. Install the security update once it is available for your version;
2. Closely monitor these devices and carry out threat-hunting activities;
3. Follow the guidance published in the security advisories provided by Cisco and the recent security updates addressing ArcaneDoor vulnerabilities; and
4. If you believe you have been compromised, you should contact Cisco PSIRT and also report it to NC4.

References

Cisco Talos    https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Cisco Event Response    https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response