Thursday , January 23 2025
Key

Hackers backdoored Cisco ASA devices via two zero-days

A Cisco customer noticed the first confirmed activity in early January 2024, but the attacks actually began in November 2023. The researchers also found evidence that indicates this capability was being tested and developed as early as July 2023.

The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown. The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:

Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

Fortinet customers must apply the latest updates, as almost 50,000 management interfaces remain vulnerable to the latest zero-day exploit. The...
Read More
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack

Daily Security Update Dated: 21.01.2025

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated: 21.01.2025

126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems

Ubuntu 22.04 LTS users are advised to update their systems right away due to a crucial security patch from Canonical...
Read More
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems

CERT-UA alerts about “security audit” requests through AnyDesk

Attackers are pretending to be Ukraine's Computer Emergency Response Team (CERT-UA) using AnyDesk to access target computers. “Unidentified individuals are...
Read More
CERT-UA alerts about “security audit” requests through AnyDesk

Oracle Critical Pre-Release update addressed 320 flaw

Oracle Critical Patch Update Pre-Release Announcement shares details about the upcoming update scheduled for January 21, 2025. Note that this...
Read More
Oracle Critical Pre-Release update addressed 320 flaw

OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025

OWASP has released its updated list of the top 10 vulnerabilities in smart contracts for 2025. This guide highlights the...
Read More
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025

Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS

Security researchers have found several vulnerabilities in Azure DevOps that could enable attackers to inject CRLF queries and carry out...
Read More
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS

Intel holds 22 employees from one Bangladeshi University

Intel Corporation is a leading semiconductor chip manufacturer, employing at least 22 graduates from the Department of Applied Chemistry and...
Read More
Intel holds 22 employees from one Bangladeshi University

VPN Surge 1500% in USA after TikTok Shut Down

vpnMentor’s Research Team is monitoring the potential TikTok ban in the U.S., driven by national security and data privacy issues....
Read More
VPN Surge 1500% in USA after TikTok Shut Down

MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology

MITRE launched D3FENDTM 1.0, a cybersecurity framework that provides a vocabulary and understanding of the cyber domain. D3FEND 1.0, funded...
Read More
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology

Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
Line Runner, a backdoor to maintain persistence.

“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.

“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”

Line Dancer has been used to disable syslog, exfiltrate the command show configuration and packet captures, execute CLI commands, prevent the device from creating a crash dump when it crashes, and create ways to always be able to remotely connect to the device.

Line Runner uses an old ASA feature to locate a particular LUA file, unzip it, run it, and then delete it. The scripts in the file let the attacker keep an HTTP-based Lua backdoor on the device, which remains even after reboots and upgrades.

Patch, investigate, respond:
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.

Companies with Cisco ASA should install the patches right away because there are no other solutions for the vulnerabilities.

“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.

Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.

Check Also

Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI

Bank Rakyat Indonesia (BRI), the largest state bank by assets, has assured customers that their …

Leave a Reply

Your email address will not be published. Required fields are marked *