Cisco: Attackers use new 0-day vulnerability to install backdoors on firewalls
A cleverly designed backdoor on devices with Cisco's ASA and FTD systems survives reboots and system updates. Many details remain unclear.
Vulnerabilities threaten Cisco devices.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Network equipment supplier Cisco has discovered sophisticated backdoors on devices running the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) operating systems. Since January, unknown attackers have been targeting selected victims by exploiting previously unknown zero-day vulnerabilities; however, some details are still unclear. Cisco is providing updates, but admins should closely monitor further developments.
The backdoors, dubbed "Line Runner" and "Line Dancer" by Cisco, infiltrate the devices using an as yet unknown method – Cisco's security department has not yet been able to determine whether the attackers have **stolen** their victims' admin credentials or exploited another vulnerability.
What is clear, however, is that the vulnerability CVE-2024-20353 (CVSS 8.6, risk "high") enabled them to trigger the execution of malicious code, which they uploaded to the devices in a ZIP archive. They then caused the affected devices to reboot using another vulnerability, CVE-2024-20359 (CVSS 6.0, risk "high"), and managed to permanently implant their backdoor on the devices.
Unknown attackers with espionage intentions
It is still unclear who is behind the attack – Cisco suspects state-funded actors who have extremely detailed technical knowledge and whose mission is espionage. According to the Cisco experts, this is also supported by the fact that the attack was not carried out on a broad front, but only against specific targets.
The network equipment provider has revealed the attackers' approach, which it has given the code name "UAT4356" ("STORM-1849" in Microsoft's nomenclature), in a detailed blog post that also contains Indicators of Compromise (IoC), i.e. evidence of compromise.
Two security reports also contain references to updates for potentially vulnerable devices – one advisory each for CVE-2024-20353 and CVE-2024-20359.
Administrators who have recently observed strange behavior with their firewalls, including unplanned reboots, should urgently take a closer look at the devices, install updates and take the countermeasures outlined by Cisco.
There has been a thread on this topic in the heise Security Pro expert forum since yesterday. Security managers can discuss their countermeasures there.
(cku)
