State-backed hackers exploit Cisco firewalls, using zero-days to deploy sophisticated malware. Urgent patches released.
In a widespread and meticulously orchestrated campaign, hackers, allegedly sponsored by a nation-state, have exploited vulnerabilities in Cisco's Adaptive Security Appliances (ASA) firewalls. This breach represents the latest development in a series of attacks targeting critical network security infrastructure, including firewalls and VPNs, designed to shield against remote attacks.
Over the past year and a half, various security appliances manufactured by Ivanti, Atlassian, Citrix, and Progress have fallen prey to similar exploits, particularly those orchestrated by groups believed to be supported by the Chinese government. These devices are especially attractive targets as they sit at the periphery of network defenses, handling nearly all incoming and outgoing digital communications, with firewalls and VPNs constituting the primary defense mechanism for 93% of global financial institutions.
On Wednesday, Cisco issued a warning indicating that its ASA products are among those compromised. Since November, the unidentified threat group, labeled UAT4356 by Cisco and STORM-1849 by Microsoft, has been utilizing two zero-day vulnerabilities to infiltrate these firewalls and install unprecedented malware types, named Line Dancer and Line Runner by Cisco’s Talos security team.
These attacks are characterized by an advanced exploit chain that includes multiple vulnerabilities and two highly sophisticated, previously unseen backdoors, one of which operates entirely from memory, making it particularly difficult to detect. The detection rate for attacks leveraging such zero-day vulnerabilities remains under 45%, highlighting the challenges in identifying and mitigating these threats.
According to Talos, "Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities." The researchers have expressed high confidence that the attacks are the work of a state-sponsored entity driven by espionage objectives.
Despite the extensive security measures taken, the initial access point utilized by UAT4356 remains unknown, suggesting that the ASA vulnerabilities were likely exploited following the breach of other, as yet unidentified vulnerabilities—potentially in systems supplied by Microsoft and others. The average time to detect and contain a breach like those exploited in this campaign is approximately 280 days, which highlights the stealth and persistence of the attackers.
In response to the unfolding threat, Cisco has released updates to patch the identified vulnerabilities and is urging all users of ASA products to apply these updates without delay. The urgency of these updates cannot be understated, as cyber-espionage accounts for over 22% of all data breaches, with state-sponsored attacks growing by 10% annually.
This campaign underscores a growing trend where sophisticated threat actors exploit foundational network security tools to conduct espionage. The relentless advancement of these threat actors into the cybersecurity infrastructure of global networks highlights an ongoing battle between cyber defenses and offensive cyber operations conducted at the state level.