April 30, 2024: Cisco ASA and FTD vulnerabilities lead to breached government networks

Executive Summary:

• Three zero days in two Cisco firewall products, Cisco ASA software and Cisco Firepower Threat Defense (FTD) software, were discovered as part of an investigation into a larger threat actor campaign targeting government-owned perimeter network devices globally, with exploitation going back to January 2024
• The threat actor campaign, named “ArcaneDoor”, was discovered to be targeting network devices from various vendors
• The zero day vulnerabilities identified are tracked as CVE-2024-20353, CVE-2024-20359, and CVE-2024-20358 – of these, only CVE-2024-20353 and CVE-2024-20359 were exploited in the ArcaneDoor campaign
• As of Monday, April 28, 2024, Censys sees over 162,735 hosts running Cisco Adaptive Security Appliance software online. Less than 10 Firepower Threat Defense instances were observed online.
• Just under a third of all exposed Cisco ASA devices were hosted in the U.S. It’s evident from the broader distribution across countries that Cisco ASA is a widely popular software worldwide.
• While the initial access vector leveraged in this campaign is still unknown, Cisco has released software updated to address the 3 zero days & has provided steps for customers to check the integrity of their Cisco Firewall devices in their event response advisory
• Censys Search query for exposed Cisco ASA devices:  services.software.product=”Adaptive Security Appliance”
• Censys ASM customers can use the following risk to look for exposed Cisco Adaptive Security Appliance web management interfaces in their network (risks.name=”Exposed Cisco Adaptive Security Appliance”)

Background

Censys is aware that on April 24, Cisco Talos released a report shedding light on a campaign by a previously unknown state-sponsored threat actor tracked as “UAT4356”. The campaign, dubbed “ArcaneDoor,” targeted government-owned perimeter network devices from various vendors as part of a global effort.

Talos’ investigation found that actor infrastructure was established between November and December 2023, with initial activity first detected in early January 2024. While the initial access vector used in this campaign remains unknown, Talos uncovered three zero-day vulnerabilities affecting Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software that were exploited as part of the attack chain: CVE-2024-20353, CVE-2024-20359, and CVE-2024-20358.

Potential Consequences of Successful Exploitation:

The sophistication of the exploit chain and the choice of government-associated victims imply that this threat actor is carefully selecting high-value targets. They’ve been observed carrying out various malicious activities on targeted systems, including implanting malware, performing network reconnaissance, altering device configurations, and potentially achieving lateral movement. The original Talos blog on ArcaneDoor has a detailed analysis of the specific malware employed.

Cisco network devices can arguably be deemed critical infrastructure, particularly when they protect government networks. The successful infiltration of these devices could significantly impact an entire organization, especially considering the sophistication of these attacks.

Affected Assets

Cisco Adaptive Security Appliance (ASA) assets are network devices with various functions such as firewall, antivirus, intrusion prevention systems (IPS), and virtual private network (VPN) capabilities.

Cisco Firepower Threat Defense (FTD) is software that combines the firewall and IPS capabilities of Cisco ASA and Cisco Firepower as another network security solution.

Cisco’s advisories do not list any specific affected versions for these vulnerabilities, so it’s reasonable to assume that any devices running this software should be secured against them. They provide a Cisco Software Checker page for customers to check software versions for multiple products on their devices to determine potential vulnerability exposure.

Global Impact

As of Monday, April 29, 2024, Censys observed over 162,700 hosts running Cisco Adaptive Security Appliance software online (services.software.product=”Adaptive Security Appliance”). The digital footprint of Firepower Threat Defense hosts is significantly smaller, with less than ten observed online. Censys does not have visibility into the software versions of these products.

Map of All Exposed Censys-visible Cisco ASA Devices Globally on April 29, 2024

Top 10 Countries with Exposed Censys-visible Cisco ASA Devices on April 29, 2024

It’s clear that Cisco ASA software is globally popular: the top countries here closely mirror the countries that Censys observes with the highest concentrations of hosts in our dataset overall. The United States hosts just under a third of exposed Cisco ASA devices, with approximately 51,000 hosts online.

While this analysis focuses on Cisco ASA in particular due to Talos’s in-depth investigation, note that perimeter network devices from various vendors are being targeted in this campaign. You can use the label network.device in Censys Search to broadly search for network devices in your network.

Recommendations for Remediation

While the initial attack vector remains unknown, Cisco recommends that customers apply the software updates listed in their security advisory that address the 3 vulnerabilities discovered as part of their investigation: Cisco Event Response: Attacks Against Cisco Firewall Platforms

Cisco also provided the following steps for customers to check the integrity of their ASA or FTD devices:

“Note: Complete the following steps for each device and provide the output of each device as its own file.

1. Log in to the device CLI using SSH/Telnet.
   • If the device is deployed in Cisco FTD mode, run the system support diagnostic-cli command and then the enable command.
   • If the device is deployed in multi-context mode, log in to the admin context and change to the system context.
2. Run the term pager 0 command to prevent the device from pausing the output with –More– prompts.
3. Run the show version command and save the output to a text file.
4. Run the verify /sha-512 system:memory/text command and save the output to the same text file.
5. Run the show memory region command and save the output to the same text file.
6. Reset the terminal length with the term pager 24 command.
7. Open a case with the Cisco Technical Assistance Center (TAC) as severity 3. In the case, reference the keyword ArcaneDoor and upload the data that was collected in steps 3–5.”