InfoSecBulletin Cybersecurity for mankind
A Cisco customer noticed the first confirmed activity in early January 2024, but the attacks actually began in November 2023. The researchers also found evidence that indicates this capability was being tested and developed as early as July 2023.
The initial access vector in this campaign – dubbed ArcaneDoor – is still unknown. The threat actor, which Cisco Talos tracks as UAT4356 and Microsoft as STORM-1849, used custom malware:
BIG VULNERABILITIES IN NEXT-GEN BIG-IP
UK confirms Ministry of Defence payroll data exposed in data breach
LockBit Ransomware Leader Unmasked and Sanctioned
Samsung mobile devices 25 flaws patched
Bangladesh to make law to protect customers using electronic currency
Outpost24 report
Cybersecurity Loopholes in Paris 2024 Olympics Infrastructure
Xiaomi Android Devices Hit by Multiple Flaws
LockBit’s seized darknet site resurrected by police, teasing new revelations
GAO: NASA Faces ‘Inconsistent’ Cybersecurity Across Spacecraft
Moshiul Islam accepted as member to Forbes Technology Council
Line Dancer, a shellcode interpreter that resides only in memory, to upload and execute arbitrary shellcode payloads
Line Runner, a backdoor to maintain persistence.
“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access,” the researchers explained.
“The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces.”
Line Dancer has been used to disable syslog, exfiltrate the command show configuration and packet captures, execute CLI commands, prevent the device from creating a crash dump when it crashes, and create ways to always be able to remotely connect to the device.
Line Runner uses an old ASA feature to locate a particular LUA file, unzip it, run it, and then delete it. The scripts in the file let the attacker keep an HTTP-based Lua backdoor on the device, which remains even after reboots and upgrades.
Patch, investigate, respond:
Cisco has released patches for CVE-2024-20353 and CVE-2024-20359, provided indicators of compromise, Snort signatures, and has outlined several methods for locating the Line Runner backdoor on ASA devices.
Companies with Cisco ASA should install the patches right away because there are no other solutions for the vulnerabilities.
“Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity,” Cisco advised.
Cisco has also released patches for a third vulnerability (CVE-2024-20358) affecting Cisco ASAs, which is not being exploited by these attackers.
