WokiraNov 26, 2024
#linedancer Hallo noch jemand hier
WokiraNov 26, 2024
#linedancer Hallo noch jemand hier ...
Marcel SIneM(S)USApr 26, 2024
#Cisco: Angreifer plazieren mithilfe neuer 0-Day-Lücke Hintertüren auf Firewalls | Security https://www.heise.de/news/Cisco-Angreifer-plazieren-mithilfe-neuer-0-Day-Luecke-Hintertueren-auf-Firewalls-9697459.html #CiscoASA #CiscoFTD #LineRunner #LineDancer #Backdoor #Patchday #ZeroDay #0day
Cisco: Angreifer plazieren mithilfe neuer 0-Day-Lücke Hintertüren auf Firewalls

Zwei geschickt gestaltete Hintertüren auf Geräten mit Ciscos ASA- und FTD-System überleben Reboots und Systemupdates. Viele Details sind noch unklar.

heise online
deltatux Apr 25, 2024
The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Cyber Activity Impacting CISCO ASA VPNs - Canadian Centre for Cyber Security

Cyber Activity Impacting CISCO ASA VPNs

Canadian Centre for Cyber Security
⠠⠵ avukoApr 24, 2024

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

  • Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
  • Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
  • Collect the outputs of the following commands:
    • show version
    • verify /SHA-512 system:memory/text
    • debug menu memory 8
  • Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

    • Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

    I will repeat (without shouting this time):

    Patching is not a fix!

    "We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

    There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

    #CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

    Final question for anyone still reading: why the debug menu memory 8? What does it do?

    ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

    Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series and has released three CVEs related to the event. We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024.

    Cisco Talos Blog