Full Report
Cisco reported two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls that have been exploited by a state-backed hacking group known as UAT4356 or STORM-1849. These vulnerabilities have been under attack since Novembe...
Analysis Summary
# Threat Actor: STORM-1849 (UAT4356)
## Attribution & Identity
* **Identification:** State-backed hacking group.
* **Aliases:** UAT4356, STORM-1849.
* **Known Associations:** Linked to the cyber-espionage campaign named "ArcaneDoor."
## Activity Summary
The actor is associated with the "ArcaneDoor" cyber-espionage campaign. This campaign was active as early as November 2023, exploiting two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls to establish persistence and maintain control over the devices. The overall objective is cyber-espionage.
## Tactics, Techniques & Procedures
* **Vulnerability Exploitation:** Exploited zero-day vulnerabilities in Cisco ASA/FTD firewalls (specifically CVE-2024-20353 for DoS and CVE-2024-20359 for persistent local code execution).
* **Malware Deployment:** Installed custom, sophisticated malware to maintain access.
* **Defense Evasion:** Employed mechanisms within malware to avoid detection, including disabling logging.
* **Configuration Modification:** Modified device configurations to ensure actor access and facilitate espionage.
* **Data Exfiltration:** Captured and exfiltrated network traffic.
* **Remote System Control:** Gained the ability to execute arbitrary shellcode and Lua code remotely.
## Targeting
* **Sectors:** Implied focus on organizations using perimeter network devices (firewalls) for espionage purposes.
* **Geography:** Not explicitly mentioned in the provided text.
* **Victims:** Organizations utilizing Cisco ASA and FTD firewalls.
## Tools & Infrastructure
* **Malware Families Used:**
* **Line Dancer:** An in-memory shellcode loader used to execute payloads (e.g., disabling logging, remote access, packet exfiltration).
* **Line Runner:** A persistent backdoor capable of executing arbitrary Lua code, featuring defense evasion mechanisms.
* **Infrastructure:** Specific C2 infrastructure (domains/IPs) not detailed in this summary context.
## Implications
This actor demonstrates high sophistication, capability to weaponize zero-day vulnerabilities, and a clear focus on long-term espionage against critical network infrastructure (firewalls). Successful compromise allows the actor to monitor, control, and exfiltrate sensitive data traversing the network perimeter.
## Mitigations
* Promptly apply the security updates released by Cisco for ASA and FTD devices to address CVE-2024-20353 and CVE-2024-20359.
* Implement enhanced monitoring for unusual outbound traffic, modified device configurations, and attempts to disable logging on ASA/FTD devices.