InfoSecBulletin Cybersecurity for mankind
A Cisco customer noticed the first confirmed activity in early January 2024, but the attacks actually began in November 2023. The researchers also found evidence that indicates this capability was being tested and developed as early as July 2023.
The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown. The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:
CVE-2024-51503
Trend Micro released updates for Deep Security Agent RCE
Apple Releases Patch for two Actively Exploited Zero-Day
Maxar Space Data Leak, Company admit, Investigation ongoing!
GitHub CLI Vulnerability Could Allow RCE
“Sarcoma” ransomware group
Hacker to disclose “Popular Life Insurance” 36 GB of stolen data
BugHunt 2024: A Milestone Cyber security Competition held at Dhaka
TP-Link DHCP Vulnerability Allow Attackers Takeover Routers Remotely
WSJ reports
T-Mobile hacked in massive breach of telecom networks
Palo Alto Networks Confirms critical RCE zero-day actively exploited
CISA, FBI Warns
Hacker compromised multiple teleco network at US
Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
Line Runner, a backdoor to maintain persistence.
“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.
“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”
Line Dancer has been used to disable syslog, exfiltrate the command show configuration and packet captures, execute CLI commands, prevent the device from creating a crash dump when it crashes, and create ways to always be able to remotely connect to the device.
Line Runner uses an old ASA feature to locate a particular LUA file, unzip it, run it, and then delete it. The scripts in the file let the attacker keep an HTTP-based Lua backdoor on the device, which remains even after reboots and upgrades.
Patch, investigate, respond:
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Companies with Cisco ASA should install the patches right away because there are no other solutions for the vulnerabilities.
“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.
Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.
