Given widespread use of Cisco ASA and FTD, WaterISAC is emphasizing these vulnerabilities for awareness. Members using impacted Cisco ASA devices and FTD software are strongly encouraged to address promptly.
Yesterday, Cisco released security updates to address ArcaneDoor—exploitation of Cisco Adaptive Security Appliances (ASA) devices and Cisco Firepower Threat Defense (FTD) software. A cyber threat actor could exploit vulnerabilities (CVE-2024-20353, CVE-2024-20359, CVE-2024-20358) to install a backdoor to later take control of an affected system.
Cisco has reported active exploitation of CVE 2024-20353 and CVE-2024-20359 and CISA has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog.
ArcaneDoor is a threat actor campaign in which state-sponsored actors target perimeter network devices from multiple vendors. These perimeter devices are the perfect intrusion point for espionage-focused campaigns and need to be routinely and promptly patched using up-to-date hardware and software versions and configurations.
Users and administrators are strongly encouraged to apply the necessary updates, hunt for any malicious activity, and report any positive findings to CISA.
At the time of this writing, Talos has not determined the initial access vector used in this campaign. In the past two years, Talos reports a dramatic and sustained increase in the targeting of these devices in telecommunications providers and energy sector organizations.
Additional Information:
- ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | Cisco Talos
- Cyber Activity Impacting CISCO ASA VPNs | Canadian Centre for Cyber Security
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) | HelpNetSecurity
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks | BleepingComputer
