CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
2024-4-26 08:1:44 Author: www.tenable.com(查看原文) 阅读量:31 收藏

Satnam Narang

A blue gradient background with the Tenable Research logo in the top center. Underneath the logo is an orange/yellow rectangular shaped box with the word "ADVISORY" in it. Underneath it are the words "Frequently Asked Questions." This is an FAQ blog about ArcaneDoor, an espionage-related campaign that exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco ASA appliances.

Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.

Background

The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an espionage campaign called ArcaneDoor.

FAQ

What is ArcaneDoor?

ArcaneDoor is the name given to an espionage-focused campaign disclosed by researchers at Cisco Talos on April 24. The campaign involves a reported state-sponsored actor who has been targeting vulnerable network devices including Cisco’s Adaptive Security Appliances (ASA). The campaign included the exploitation of at least two zero-day vulnerabilities.

What are the vulnerabilities associated with ArcaneDoor?

As of April 25, the following vulnerabilities are attributed to the ArcaneDoor campaign:

CVEDescriptionCVSSv3
CVE-2024-20353Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service Vulnerability8.6
CVE-2024-20359Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability6.0

Who is the group behind ArcaneDoor?

The group has been labeled UAT4356 by Cisco and STORM-1849 by Microsoft. Cisco attributes this activity with “high confidence” to a state-sponsored actor, though it is unconfirmed which state the group is associated with.

What is the initial access vector for ArcaneDoor?

As of April 25, the initial access vector for the ArcaneDoor campaign is unknown. The investigation into ArcaneDoor is ongoing. We will update this blog post once additional information becomes available.

When did the ArcaneDoor campaign begin?

Cisco says UAT4356 began the development and testing phase for this campaign back in July 2023, setting up the infrastructure for the campaign in November 2023. However, malicious activity associated with ArcaneDoor occurred between December 2023 and early January 2024.

Is any malware associated with ArcaneDoor?

Yes, it appears that UAT4356 deployed two types of malware in the ArcaneDoor campaign:

  • Line Dancer: in-memory malware for executing commands and evading analysis
  • Line Runner: backdoor malware to maintain persistence

For analysis of Line Dancer and Line Runner, please refer to the Cisco Talos blog post.

Are there any other good sources of information about ArcaneDoor?

Yes, the Canadian Centre for Cyber Security (Cyber Centre) published an article providing additional insights into the malicious activity associated with ArcaneDoor. In it, the Cyber Centre says that Cisco ASA series ASA55xx running firmware versions 9.12 and 9.14 have been targeted by malicious actors that “established unauthorized access through WebVPN sessions,” which are “commonly associated with Clientless SSLVPN services.”

Are patches available for the vulnerabilities associated with ArcaneDoor?

Yes, Cisco released patches for affected versions of ASA and FTD. For more information, refer to the individual advisory pages for CVE-2024-20353 and CVE-2024-20359.

Cisco published an advisory CVE-2024-20358. Is this CVE associated with ArcaneDoor?

No. While this vulnerability affects the same products and was published alongside the advisories for CVE-2024-20353 and CVE-2024-20359, it was reportedly discovered by Cisco during internal security testing and is not associated with ArcaneDoor.

Are there indicators of compromise (IOCs) associated with ArcaneDoor?

Yes, Cisco published IOCs for ArcaneDoor in its blog post and on GitHub.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

Satnam Narang

Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).

Related Articles

  • Exposure Management
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank You

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a Demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
In Action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management In Action

Know the exposure of every asset on any platform.

Thank You

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/cve-2024-20353-cve-2024-20359-frequently-asked-questions-about-arcanedoor
如有侵权请联系:admin#unsafe.sh