InfoSecBulletin Cybersecurity for mankind
A Cisco customer noticed the first confirmed activity in early January 2024, but the attacks actually began in November 2023. The researchers also found evidence that indicates this capability was being tested and developed as early as July 2023.
The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown. The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:
BCSI BLOG POST
SonicWALL Vulnerability Traded; threating for Corporate network in Bangladesh
Banking trojan Grandoreiro targeting about 1,500 banks over 60 countries
Australian gov.t warns of ‘large-scale ransomware data breach’
Patch Now: CISA Warns of Actively Exploited D-Link Router Vulnerabilities
New “Antidot” Banking Trojan disguised Fake Google Play Updates
CISA Published Encrypted DNS Implementation Guidance
Cyble Research
Transparent Tribe & SideCopy: A Cyber Alliance Targeting India
Recordedfuture report
Hackers Exploit GitHub to Spread Malware targeting operating systems
ALERT
CISA issued Seventeen Industrial Control Systems Advisories
Intel released 41 Security Advisories Over 90 Vulnerabilities
Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
Line Runner, a backdoor to maintain persistence.
“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.
“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”
Line Dancer has been used to disable syslog, exfiltrate the command show configuration and packet captures, execute CLI commands, prevent the device from creating a crash dump when it crashes, and create ways to always be able to remotely connect to the device.
Line Runner uses an old ASA feature to locate a particular LUA file, unzip it, run it, and then delete it. The scripts in the file let the attacker keep an HTTP-based Lua backdoor on the device, which remains even after reboots and upgrades.
Patch, investigate, respond:
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Companies with Cisco ASA should install the patches right away because there are no other solutions for the vulnerabilities.
“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.
Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.
