In a recent development, researchers have uncovered a five-month hacking campaign that has been exploiting zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) firewalls. The attackers, believed to be backed by a powerful nation-state, have been targeting government networks worldwide. This latest revelation highlights a concerning trend of nation-state actors increasingly targeting firewalls, VPNs, and other network perimeter devices that are designed to protect networks from external threats.
Over the past 18 months, threat actors, primarily supported by the Chinese government, have been exploiting previously unknown vulnerabilities in security appliances from various vendors, including Ivanti, Atlassian, Citrix, and Progress. These devices are particularly attractive targets because they often serve as a gateway to a network’s most sensitive resources and interact with a wide range of incoming communications.
On Wednesday, Cisco issued a warning about the exploitation of its ASA products, specifically two zero-days that have been leveraged by a previously unknown actor tracked as UAT4356 by Cisco and STORM-1849 by Microsoft. The attacks involve a sophisticated exploit chain targeting multiple vulnerabilities, including the zero-days. Additionally, the attackers have deployed two previously unseen malware programs, one of which resides solely in memory to evade detection.
The meticulous approach of the attackers, coupled with the targeted nature of the campaign, has led Talos, Cisco’s security team, to conclude that the attacks are likely the work of state-sponsored hackers pursuing espionage objectives. Talos researchers attributed the attacks to a state-sponsored actor based on the victims, the advanced anti-forensic measures employed, and the identification of zero-day vulnerabilities.
The researchers also cautioned that the hacking campaign may not be limited to ASA devices. They acknowledged that they are still investigating how UAT4356 initially gained access to the networks, suggesting that other vulnerabilities in Microsoft or third-party network wares may have been exploited.
Cisco has released security updates to patch the vulnerabilities and has strongly advised all ASA users to apply the updates immediately. The campaign timeline indicates that UAT4356 began developing and testing the exploits as early as July 2023. By November, the dedicated server infrastructure for the attacks was established, and the campaign became fully operational in January 2024.
One of the exploited vulnerabilities, CVE-2024-20359, is a retired feature that allowed preloading of VPN clients and plug-ins in ASA. It stems from inadequate file validation during reading from the flash memory of a vulnerable device and allows for remote code execution with root system privileges when exploited. UAT4356 has been utilizing this vulnerability to install backdoors that Cisco has named ‘Line Dancer’ and ‘Line Runner.’ The threat actor has also exploited CVE-2024-20353, a separate ASA vulnerability rated 8.6 out of 10 in severity, to install the backdoors in at least one known instance.