Hostile nation-state cyber unit exploits Cisco zero-day flaws to launch espionage efforts

Target Industry

Indiscriminate, opportunistic targeting.

Overview

An emerging hostile nation-state cyber actor, tracked by Microsoft as Storm-1849, has launched a covert espionage campaign by exploiting two zero-day vulnerabilities CVE-2024-20353 (CVSSv3.1 score: 8.6) and CVE-2024-20359 (CVSSv3.1 score: 6.0) in Cisco networking products to deliver custom malware to extract data from target systems. It should be noted that administrator-level privileges are required to exploit CVE-2024-20359.

Cisco Talos has classified the activity group as “ArcaneDoor”, whereby two backdoor malware strains have been deployed as part of a cluster of intrusions to perform several malicious operations, including configuration modification, reconnaissance, and network traffic exfiltration with possible lateral movement within target environments. Technical analysis revealed that at each stage of the attack chain, Storm-1849 prioritised hiding its digital footprint and applied sophisticated methods to evade memory forensics, decreasing the chances of detection.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added these security issues to its Known Exploited Vulnerabilities (KEV) catalogue, requiring federal agencies to implement the vendor-provided remediations by 1st May 2024.

Impact

Successful exploitation of CVE-2024-20353 would likely allow an unauthenticated, remote threat actor to cause the vulnerable device to reload unexpectedly, resulting in a denial of service (DoS) condition.

Successful exploitation of CVE-2024-20359 would likely allow an authenticated, local threat actor with administrator-level privileges to execute arbitrary code with root-level privileges.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Cisco. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

CVE-2024-20353 affects Cisco ASA Software and FTD Software if they have one or more of the vulnerable configurations listed in the Cisco advisory.

CVE-2024-20359 affects Cisco products if they are running a vulnerable release of Cisco ASA Software or FTD Software. No specific configuration is required.

Containment, Mitigations & Remediations

There are currently no workarounds available for either of the Cisco vulnerabilities and it is therefore strongly recommended that the relevant security patches for both CVE-2024-20353 and CVE-2024-20359 are applied as a matter of urgency.

Indicators of Compromise

The following network-based Indicators of Compromise (IoCs) have been attributed with a high level of confidence by the combined agencies of the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC):

– 185.244.210[.]65

– 5.183.95[.]95

– 213.156.138[.]77

– 45.77.54[.]14

– 45.77.52[.]253

– 45.63.119[.]131

– 194.32.78[.]183

– 185.244.210[.]120

– 216.238.81[.]149

– 216.238.85[.]220

– 216.238.74[.]95

– 45.128.134[.]189

– 176.31.18[.]153

– 216.238.72[.]201

– 216.238.71[.]49

– 216.238.66[.]251

– 216.238.86[.]24

– 216.238.75[.]155

– 154.39.142[.]47

– 139.162.135[.]12

Organisations that utilise the affected products are strongly recommended to check historical network logs, specifically for large volumes of data being transferred, with particular attention paid to the time period of December 2023 to February 2024.

Threat Landscape

Cisco occupies a significant proportion of the enterprise network infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Cisco products have become a prime target. Due to the fact that Cisco products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

As of the time of writing, there is insufficient intelligence to attribute this state-sponsored Storm-1849 campaign to a particular nation. However, it should be noted that we have previously detected both Chinese and Russian state-backed cyber forces targeting Cisco routers in agile espionage efforts.

The emergence of this activity group provides yet another instance of increased targeting of edge devices that lack endpoint detection and response (EDR) solutions, as evidenced by the recent attacks against Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware.

Mitre Methodologies

Common Weakness Enumeration (CWE)

CVE-2024-20353: CWE-835 – Loop with Unreachable Exit Condition (‘Infinite Loop’)

CVE-2024-20359: CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Further Information

Cisco Talos Blog

Canadian Centre for Cyber Security Advisory