{ "Event": { "analysis": "0", "date": "2024-04-25", "extends_uuid": "", "info": "OSINT - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices", "publish_timestamp": "1714132948", "published": true, "threat_level_id": "1", "timestamp": "1714132910", "uuid": "92214b3e-76c6-48b1-bf92-061c7f55e302", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "uses" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ArcaneDoor\"", "relationship_type": "attributed-to" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "documents" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1714044155", "to_ids": false, "type": "vulnerability", "uuid": "d2308b7f-920b-45e4-b902-30855f64ec91", "value": "CVE-2024-20353" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1714044345", "to_ids": false, "type": "vulnerability", "uuid": "b5c337b6-ac51-4a95-b7d8-0663d6847978", "value": "CVE-2024-20359" } ], "Object": [ { "comment": "CVE-2024-20353: Enriched via the cve_advanced module", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "8", "timestamp": "1714044165", "uuid": "30140c43-9b0e-4731-8254-283d98dd016f", "ObjectReference": [ { "comment": "", "object_uuid": "30140c43-9b0e-4731-8254-283d98dd016f", "referenced_uuid": "d2308b7f-920b-45e4-b902-30855f64ec91", "relationship_type": "related-to", "timestamp": "1714044165", "uuid": "cbfd61fd-4dd2-4d01-b650-c71ccf1c8c90" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1714044165", "to_ids": false, "type": "vulnerability", "uuid": "a8ee75b3-79ad-46b2-9205-437515ff73f8", "value": "CVE-2024-20353" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1714044165", "to_ids": false, "type": "text", "uuid": "5ee58283-4eb5-4aeb-8a55-958539c3230d", "value": "A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.\n\n This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "modified", "timestamp": "1714044165", "to_ids": false, "type": "datetime", "uuid": "844e8201-7dd4-4bf5-bc44-5a771a90ec16", "value": "2024-04-24T19:58:00+00:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "published", "timestamp": "1714044165", "to_ids": false, "type": "datetime", "uuid": "3f4d2dbc-82ba-47b3-a4a2-c270ff9207c9", "value": "2024-04-24T19:15:00+00:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1714044165", "to_ids": false, "type": "text", "uuid": "c352ea2f-0437-40da-bbb7-9c13c5b955b5", "value": "Published" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1714044165", "to_ids": false, "type": "link", "uuid": "fdb64a7f-09cc-4208-ae5d-d8ed24d0d3f2", "value": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2" } ] }, { "comment": "", "deleted": false, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "name": "script", "template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", "template_version": "7", "timestamp": "1714044298", "uuid": "3e1516ac-fe11-478f-aac8-c0083c42e4c9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "script", "timestamp": "1714044298", "to_ids": false, "type": "text", "uuid": "15323ff3-4308-4b2b-9023-d2577560415e", "value": "show memory region | include lina", "Tag": [ { "colour": "#0fbf00", "local": false, "name": "cycat:scope=\"detection\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1714044271", "to_ids": false, "type": "text", "uuid": "cfcadedb-7c72-475e-adf0-4d2d1e99878e", "value": "Additionally, organizations can issue the command show memory region | include lina to identify another indicator of compromise. If the output indicates more than one executable memory region (memory regions having r-xp permissions, see output examples), especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1714044271", "to_ids": false, "type": "text", "uuid": "d36b5e3d-799b-468e-bd54-fc80c19ab3e8", "value": "Trusted" } ] }, { "comment": "CVE-2024-20359: Enriched via the cve_advanced module", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "8", "timestamp": "1714044355", "uuid": "0d6f8c29-a5d7-4e0b-8d68-1c390e94134d", "ObjectReference": [ { "comment": "", "object_uuid": "0d6f8c29-a5d7-4e0b-8d68-1c390e94134d", "referenced_uuid": "b5c337b6-ac51-4a95-b7d8-0663d6847978", "relationship_type": "related-to", "timestamp": "1714044355", "uuid": "55465456-ccf1-42cb-a256-caa0ff303cf2" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1714044355", "to_ids": false, "type": "vulnerability", "uuid": "dc99827d-6854-4b1e-aa0c-79cdc61fe048", "value": "CVE-2024-20359" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1714044355", "to_ids": false, "type": "text", "uuid": "0a56742e-df8c-429d-a2b1-9500284a8f0a", "value": "A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.\n\n This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "modified", "timestamp": "1714044355", "to_ids": false, "type": "datetime", "uuid": "06d41353-b861-4708-91f2-06f916f7fc15", "value": "2024-04-24T19:58:00+00:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "published", "timestamp": "1714044355", "to_ids": false, "type": "datetime", "uuid": "7f121cf9-2a3f-4708-9542-527c3f210edf", "value": "2024-04-24T19:15:00+00:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1714044355", "to_ids": false, "type": "text", "uuid": "0814fa85-ade5-4f03-a164-e5e5bd736ad5", "value": "Published" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1714044355", "to_ids": false, "type": "link", "uuid": "319c7eb7-62eb-4d0c-98c6-2b98061b54f9", "value": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h" } ] }, { "comment": "Adversary controlled as mentioned in the blog post", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1714125199", "uuid": "85e3eade-a4dc-4c19-b119-d4258bbfd957", "Attribute": [ { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "816e6038-e925-4215-b657-282ed214485f", "value": "192.36.57.181" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "1c38e45f-8e96-4a62-9424-e9a8f36be14b", "value": "185.167.60.85" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "10ff4124-a3eb-42be-a107-4c31d6dd4ed1", "value": "185.227.111.17" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "3a980af8-5592-48b8-b2b2-61e90f9627e5", "value": "176.31.18.153" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "1bb1a30f-b353-4acc-8569-76958843da02", "value": "172.105.90.154" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "2e838645-802c-4b56-9af3-1bc10e3cc7b2", "value": "185.244.210.120" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "96b59c89-4b7e-4bad-98be-9a02f0c5e811", "value": "45.86.163.224" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "11867665-3530-40b8-936c-36aa94aaa21d", "value": "172.105.94.93" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "cea71eba-ddfb-491b-9e7e-b6aa181f4418", "value": "213.156.138.77" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "8feda09b-55a4-45d2-89fb-0680d24bc548", "value": "89.44.198.189" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "368f89c1-34da-44af-ae2c-4cbd38e2f340", "value": "45.77.52.253" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "33b43d58-82dd-4f8b-8931-3cd1a7cbfbd2", "value": "103.114.200.230" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "16a35c9e-a6e5-4437-9762-13bc9d01d7e5", "value": "212.193.2.48" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "aeef747a-cc62-4314-a6d7-2bfbe57f7be1", "value": "51.15.145.37" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "8fffc70c-c1a2-4e1f-99a5-606861475287", "value": "89.44.198.196" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "a1812159-71e2-4bf0-909b-18308d6c60dd", "value": "131.196.252.148" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "1d55de0c-ef3c-463f-b24e-bc4210fb54a6", "value": "213.156.138.78" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "31f297b6-dbdb-464c-88f8-d38753d3210e", "value": "121.227.168.69" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "44b1d6dd-6c15-488c-a756-85fc640948f1", "value": "213.156.138.68" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "c301be45-3a1e-4518-90b1-dea8d897b3b7", "value": "194.4.49.6" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "10f4a26e-590b-4b06-8a8d-d3a392d76014", "value": "185.244.210.65" }, { "category": "Network activity", "comment": "Likely Actor-Controlled Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125203", "to_ids": true, "type": "ip-dst", "uuid": "28d20e93-7f46-4456-8401-fe84b60af533", "value": "216.238.75.155" } ] }, { "comment": "Multi-tenant infrastructure", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "9", "timestamp": "1714125413", "uuid": "7deae7be-9a3d-459b-915c-1294d1e1f6a2", "Attribute": [ { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125413", "to_ids": true, "type": "ip-dst", "uuid": "00599967-7db7-4c13-acfd-5c8bcfbaf33f", "value": "5.183.95.95" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125413", "to_ids": true, "type": "ip-dst", "uuid": "51267f49-9047-45a2-ad06-41d3a97112bb", "value": "45.63.119.131" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125413", "to_ids": true, "type": "ip-dst", "uuid": "4bf13e45-299b-4bd9-8b5a-5d4752876f4a", "value": "45.76.118.87" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125413", "to_ids": true, "type": "ip-dst", "uuid": "8bb35eac-c04d-4100-9fa2-f9b43d254eda", "value": "45.77.54.14" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125413", "to_ids": true, "type": "ip-dst", "uuid": "0f5b85dc-8b17-4d69-af9e-1b78d596a7e6", "value": "45.86.163.244" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "34d413f0-8600-4b8d-a2e7-49d1fcec958b", "value": "45.128.134.189" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "55e138fc-02e3-4e27-b029-e8385e9b0d81", "value": "89.44.198.16" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "05ffe3b0-2b75-4869-8e68-4c217e531964", "value": "96.44.159.46" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "3205bd83-fe34-456d-8745-b7f1a89191cd", "value": "103.20.222.218" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "adf36631-11f2-44dc-a3dc-92b0ae6326de", "value": "103.27.132.69" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "0ea6035e-c8f3-41d3-b2a1-ba2c7221c72b", "value": "103.51.140.101" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "335b5014-3155-44a8-9479-2ae0680d227f", "value": "103.119.3.230" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "d115e61f-3aeb-4954-901f-cafdbdbb9f5f", "value": "103.125.218.198" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "23a79714-7e6e-496f-844b-dd5e25bd1aab", "value": "104.156.232.22" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "9b179ef9-a076-4636-8f20-b63cc8f0a1b2", "value": "107.148.19.88" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "e0e94eba-640c-412e-94b3-55500344dda5", "value": "107.172.16.208" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "e01b5008-aaa1-42a8-9a85-4b6c055c5d63", "value": "107.173.140.111" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "04b7453d-563a-47a2-ab9e-8253b4d74691", "value": "121.37.174.139" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "f5c2b398-b2ef-47eb-8895-e79120ba631d", "value": "139.162.135.12" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "d0914211-6c73-444d-92d0-dcb19dab1a4b", "value": "149.28.166.244" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "cda69d0b-89d5-4528-b90c-cdc130af19a5", "value": "152.70.83.47" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "5ca9cb15-2938-4894-b81e-513ac8f133f2", "value": "154.22.235.13" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "53c5922a-d423-4610-98c6-f7a40c905639", "value": "154.22.235.17" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "818f15c4-4922-4008-985a-a5fba2b0cb4a", "value": "154.39.142.47" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "cf14177a-259d-4dee-ac9e-bbd5598f5425", "value": "172.233.245.241" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "4ad8ba94-040b-4fec-aaa3-06e55f3678fc", "value": "185.123.101.250" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "4e985efd-e047-4695-8db3-6e4ef3cc95a8", "value": "192.210.137.35" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "3d0a9c6f-018a-4b81-8830-c1b80197c884", "value": "194.32.78.183" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "c93411a6-d94f-4cd7-aff3-f130ff59596f", "value": "205.234.232.196" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "2b5906ab-b4d4-4322-be46-ed07d75913c9", "value": "207.148.74.250" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "c4bdccda-c25e-4d69-bb1c-da8cb5417cf0", "value": "216.155.157.136" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "63909d73-9e3b-40dd-a424-2fa944a915b3", "value": "216.238.66.251" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125414", "to_ids": true, "type": "ip-dst", "uuid": "0ed5588f-eef3-4430-aec9-5f9410d5544e", "value": "216.238.71.49" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125415", "to_ids": true, "type": "ip-dst", "uuid": "57c4236d-7815-4e96-b9de-f33e39dfe06c", "value": "216.238.72.201" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125415", "to_ids": true, "type": "ip-dst", "uuid": "67573fa0-8c7f-4d5b-b88d-724875899cc4", "value": "216.238.74.95" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125415", "to_ids": true, "type": "ip-dst", "uuid": "569db2d5-da92-4a30-a292-0bc8f27ee651", "value": "216.238.81.149" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125415", "to_ids": true, "type": "ip-dst", "uuid": "454ce217-5284-44e0-9f81-f05c1c58c00c", "value": "216.238.85.220" }, { "category": "Network activity", "comment": "Multi-Tenant Infrastructure", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1714125415", "to_ids": true, "type": "ip-dst", "uuid": "314556e4-cb6e-46f8-9960-d75e544265f3", "value": "216.238.86.24" } ] }, { "comment": "", "deleted": false, "description": "Report object to describe a report along with its metadata.", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "8", "timestamp": "1714125746", "uuid": "0208b8b4-acd8-4828-b6a2-8b7a5606ee93", "ObjectReference": [ { "comment": "", "object_uuid": "0208b8b4-acd8-4828-b6a2-8b7a5606ee93", "referenced_uuid": "3e1516ac-fe11-478f-aac8-c0083c42e4c9", "relationship_type": "references", "timestamp": "1714125681", "uuid": "9b202682-ffeb-44b6-9713-67bebf9e39cd" }, { "comment": "", "object_uuid": "0208b8b4-acd8-4828-b6a2-8b7a5606ee93", "referenced_uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "relationship_type": "references", "timestamp": "1714125746", "uuid": "dbbe8ccc-2c6c-47fe-ba01-a89e24377adc" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1714125618", "to_ids": false, "type": "link", "uuid": "4adedfd7-ebec-49d0-918d-3f6d72b0ad7f", "value": "https://www.circl.lu/pub/tr-85/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "title", "timestamp": "1714125618", "to_ids": false, "type": "text", "uuid": "876a0562-e07d-4941-b07c-59d6b7828d78", "value": "TR-85 - Three vulnerabilities in Cisco ASA software/applicance and FTD software being exploited" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1714125618", "to_ids": false, "type": "text", "uuid": "59600f8c-3f2a-4170-a608-1bd6bc011f41", "value": "Report" } ] }, { "comment": "", "deleted": false, "description": "Report object to describe a report along with its metadata.", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "8", "timestamp": "1714125783", "uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "ObjectReference": [ { "comment": "", "object_uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "referenced_uuid": "7deae7be-9a3d-459b-915c-1294d1e1f6a2", "relationship_type": "references", "timestamp": "1714125706", "uuid": "6edcb0c3-2113-4567-a936-c5a0daf0760f" }, { "comment": "", "object_uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "referenced_uuid": "85e3eade-a4dc-4c19-b119-d4258bbfd957", "relationship_type": "references", "timestamp": "1714125728", "uuid": "663da3c2-de5f-47eb-853a-3f02941b2c54" }, { "comment": "", "object_uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "referenced_uuid": "30140c43-9b0e-4731-8254-283d98dd016f", "relationship_type": "references", "timestamp": "1714125761", "uuid": "4bffb14b-138f-41a3-a9eb-d470e15b1380" }, { "comment": "", "object_uuid": "edce3b9b-3cc1-4621-a0e6-8bcda0de4318", "referenced_uuid": "0d6f8c29-a5d7-4e0b-8d68-1c390e94134d", "relationship_type": "references", "timestamp": "1714125783", "uuid": "a1f6b7d5-30a9-478b-807c-9c8873939d47" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1714125656", "to_ids": false, "type": "link", "uuid": "89c350a4-bfa3-4bd7-bb55-7797fd8aec30", "value": "https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "title", "timestamp": "1714125656", "to_ids": false, "type": "text", "uuid": "7b4c9d6b-d223-4233-a32b-fee0a6b28a1b", "value": "ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1714125656", "to_ids": false, "type": "text", "uuid": "84d26378-d46c-4687-9700-055579df03dc", "value": "Blog" } ] } ], "EventReport": [ { "name": "Report from - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ (1714044381)", "content": "# ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices\r\n\r\nBy Cisco Talos \r\n\r\nWednesday, April 24, 2024 11:54 Threat Advisory Threats APT ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations \u2014 critical infrastructure entities that are likely strategic targets of interest for many foreign governments. \r\n\r\nCisco\u2019s position as a leading global network infrastructure vendor gives Talos\u2019 Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature. Early in 2024, a vigilant customer reached out to both Cisco\u2019s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns with their Cisco Adaptive Security Appliances (ASA). PSIRT and Talos came together to launch an investigation to assist the customer. During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. \r\n\r\nUAT4356 deployed two backdoors as components of this campaign, \u201cLine Runner\u201d and \u201cLine Dancer,\u201d which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement. \r\n\r\n## **Critical Fixes Available**\r\n\r\nWorking with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which we detail below. Customers are strongly advised to follow the guidance published in the security advisories discussed below. \r\n\r\nFurther, network telemetry and information from intelligence partners indicate the actor is interested in \u2014 and potentially attacking \u2014 network devices from Microsoft and other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA). Additional recommendations specific to Cisco are available here. \r\n\r\n## **Timeline**\r\n\r\nCisco was initially alerted to suspicious activity on an ASA device in early 2024. The investigation that followed identified additional victims, all of which involved government networks globally. During the investigation, we identified actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024. Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023. \r\n\r\nCisco has identified two vulnerabilities that were abused in this campaign (CVE-2024-20353 and CVE-2024-20359). Patches for these vulnerabilities are detailed in the Cisco Security Advisories released today.\r\n\r\n### **Initial Access**\r\n\r\nWe have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.\r\n\r\n## **Line Dancer: In-Memory Implant Technical Details**\r\n\r\nThe malware implant has a couple of key components. The first is a memory-only implant, called \u201cLine Dancer.\u201d This implant is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. \r\n\r\nOn a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. Note that the use of this field does not indicate the exploitation of CVE-2018-0101 which was NOT used as a component of this campaign. The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with \u201cclient-services\" or HTTPS management access. The actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces. \r\n\r\nLine Dancer is used to execute commands on the compromised device. During our investigation, Talos was able to observe the threat actors using the Line Dancer malware implant to: \r\n\r\n\r\n* Disable syslog. \r\n* Run and exfiltrate the command show configuration. \r\n* Create and exfiltrate packet captures. \r\n* Execute CLI commands present in shellcode; this includes configuration mode commands and the ability to save them to memory (write mem). \r\n* Hook the crash dump process, which forces the device to skip the crash dump generation and jump directly to a device reboot. This is designed to evade forensic analysis, as the crash dump would contain evidence of compromise and provide additional forensic details to investigators. \r\n* Hook the AAA (Authentication, Authorization and Accounting) function to allow for a magic number authentication capability. When the attacker attempts to connect to the device using this magic number, they are able to establish a remote access VPN tunnel bypassing the configured AAA mechanisms. As an alternate form of access, a P12 blob is generated along with an associated certificate and exfiltrated to the actor along with a certificate-based tunnel configuration. \r\n\r\n## **Host-Scan-Reply hook overview**\r\n\r\nIn the Line Dancer implant\u2019s process memory, we found a function (detailed below) that checks if a 32-byte token matches a pattern. If so, it base64-decodes the payload, copies it into the attacker's writable and executable memory region, and then calls the newly decoded function. Either way, it ends by calling processHostScanReply(). \r\n \r\nThe function processHostScanReply() is normally accessed through a function pointer in the elementArray table, associated with the string host-scan-reply. In the captured memory, the entry that should point to processHostScanReply()now instead points to the attacker's function that decodes and runs its payload. Since this change is in the data section of memory, it doesn't show up in hashes/dumps of text. \r\n \r\nThe attacker function that decodes and runs its payload has the following decompilation: \r\n\r\n## **Line Runner: Persistence Mechanism**\r\n\r\nThe threat actor maintains persistence utilizing a second, but persistent, backdoor called \u201cLine Runner\u201d on the compromised ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device. At boot, the ASA is designed to look for the presence of a file on disk0: matching the Lua regular expression:\r\n\r\n ^client\\_bundle[%w\\_-]*%.zip$ If the file exists, it will unzip it and execute the script csco\\_config.lua. Once processed, the ZIP file is deleted. This is assigned CVE-2024-20359 and more details are available in this Cisco Security Advisory. \r\n\r\nIn at least one case, there is another vulnerability, CVE-2024-20353, that was abused by the actor to facilitate this process. The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing the second component of the threat actor\u2019s malware implant, Line Runner. \r\n\r\nThe threat actor\u2019s ZIP file has the following files: \r\n\r\nThe scripts in the zip file allow the threat actor to maintain a persistent HTTP-based Lua backdoor to the ASA, which survives across reboots and upgrades. Line Runner was observed being used by UAT4356 to retrieve information that was staged through the use of Line Dancer. \r\n\r\n### csco\\_config.lua\r\n\r\nThe csco\\_config.lua file is run at boot and makes the following modifications to the system: \r\n \r\n\u2022 Create disk0:/csco\\_config/97/webcontent/ if it doesn't already exist \r\n\u2022 Create disk0:/csco\\_config/97/webcontent/1515480F4B538B669648B17C02337098 from hash.txt \r\n\u2022 Append index.txt to disk0:/csco\\_config/97/webcontent/index\\_bp.ini and put the result in disk0:/csco\\_config/97/webcontent/index.ini \r\n\u2022 Move the original client\\_bundle.zip file to /run/lock/subsys/krbkdc6 \r\n\u2022 Prepend umtfc.txt to /etc/init.d/umountfs \r\n\u2022 Copy stgvdr.txt to /asa/scripts/lina\\_cs \r\n\u2022 Backup /asa/scripts/lina\\_exe\\_cs.sh to /asa/scripts/lina\\_exe\\_cs\\_bp.sh \r\n\u2022 Replace /asa/scripts/lina\\_exe\\_cs.sh with laecsnw.txt \r\n\u2022 Copy csco\\_config2.lua over csco\\_config.lua \r\n\u2022 Disable the importPlugin function for the next call only \r\n\r\n### csco\\_config2.lua\r\n\r\nThe csco\\_config2.lua file cleans up the modifications made by csco\\_config.lua (above) and removes itself. \r\n\r\n### hash.txt\r\n\r\nUsed as content for disk0:/csco\\_config/97/webcontent/1515480F4B538B669648B17C02337098. \r\n\r\nIntercepts HTTP requests to the ASA. The threat actor\u2019s code looks for an HTTP request with a set of 32-character parameters that are victim-dependent. If they match, then the payload contained within one of these parameters is written to a Lua script and executed. This is the backdoor\u2019s command and control mechanism. \r\n\r\n### index.txt\r\n\r\nAdds webContent information so hash.txt is processed. \r\n\r\n### laecsnw.txt\r\n\r\nTemporarily replaces /asa/scripts/lina\\_exe\\_cs.sh. \r\n\r\nExecutes /asa/scripts/lina\\_cs as a background process (see below). Removes itself. Then restore the backup /asa/scripts/lina\\_exe\\_cs\\_bp.sh. \r\n\r\n### stgvdr.txt\r\n\r\nRuns as /asa/scripts/lina\\_cs. \r\n\r\nAfter sleeping for 30 seconds, sets expected owner and times on /etc/init.d/umountfs. Removes the hash API endpoint, the index.ini, and either restores the backup index.ini or removes the webcontent directory entirely. Finally, removes itself. \r\n\r\n### umtfc.txt\r\n\r\nPrepended to /etc/init.d/unmountfs. \r\n\r\nThe unmountfs script is called at shutdown to unmount the filesystems. The threat actor\u2019s modifications perform the following functionality: \r\n\r\n\u2022 If disk0:/csco\\_config/97/webcontent/1515480F4B538B669648B17C02337098 exists, it removes it and index.ini. \r\n\u2022 Copy /run/lock/subsys/krbkdc6 to disk0:client\\_bundle\\_install.zip\r\n\r\nThis sets up the zipfile to be executed at the next boot, maintaining persistence. \r\n\r\n## **Forensic Recovery and Identification of Line Runner**\r\n\r\nTo identify the presence of Line Runner on an ASA, the following methods can be used. Note also that the device should be upgraded to a fixed version as identified in the first method. \r\n\r\n### **Method 1:**\r\n\r\nAfter updating the device to a software release that contains the fix for CVE-2024-20359, a review of the contents of disk0: should be conducted. If a new file (e.g., \u201cclient\\_bundle\\_install.zip\u201d or any other unusual .zip file) appears on disk0: following the update, this suggests that Line Runner was present on the device in question. Note that because the updated software is not vulnerable to CVE-2024-20359, Line Runner will no longer be active on the device. \r\n\r\n### **Method 2:**\r\n\r\nTo detect (and remove) Line Runner, the following series of commands will create an innocuous file with a .zip extension. Note that it will not create a valid zip file, but the file will still be read by the ASA at reboot. Upon execution of the following commands, if a new .zip file appears on disk0: following the reload, this suggests that Line Runner was present on the device in question. Deletion of the \u201cclient\\_bundle\\_install.zip\u201d file will remove Line Runner. Note that the malicious ZIP containing the Line Runner functionality could have other names that fit the naming pattern outlined previously. \r\n\r\nIf you discover a newly created .zip file, copy that file off the device using the **copy** command and contact psirt@cisco.com referencing CVE-2024-20359. Include the outputs of the **dir disk0:** and **show version** commands from the device and the **.zip** file extracted from the device. \r\n\r\n## **Anti-Forensics/Anti-Analysis Capabilities**\r\n\r\nUAT4356 took clear and deliberate steps to attempt to prevent forensic capture of malicious artifacts. This tradecraft suggests a thorough understanding of the ASA itself and of the forensic actions commonly performed by Cisco for network device integrity validation. Additional steps were taken on a case-by-case basis to hide actions being taken on the device. These steps included hooking the AAA (Authentication, Authorization and Accounting) function of the device to allow the actor to bypass normal AAA operations. We also identified some instances where UAT4356 disabled logging to perform operations on or from the ASA and not have those operations or actions logged. \r\n\r\nLine Dancer appears to have been intentionally placed into a difficult-to-reach region of memory. In addition, it hooks into functions such as the core dump function, which is commonly used to collect information for debugging and forensic purposes, which were made in memory such that this function simply jumped to a reboot. This means that on reboot, Line Dancer itself would no longer be present and none of the collections present in the core dump function would have been executed, all resulting in a complete loss of debug information and memory-based forensic artifacts. \r\n\r\n## **Attribution**\r\n\r\nAs a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity. Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities. For these reasons, we assess with high confidence that these actions were performed by a state-sponsored actor.\r\n\r\n## **Recommendations**\r\n\r\nThere are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. \r\n\r\nAdditionally, organizations can issue the command show memory region | include lina to identify another indicator of compromise. If the output indicates more than one executable memory region (memory regions having r-xp permissions, see output examples), especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering. \r\n\r\nOutput of the \u2018show memory region\u2019 command for a compromised device (top) vs. a clean device (bottom).Note that the earlier provided steps to identify the presence of Line Runner can still be followed even in the absence of more than one executable memory region as we have seen cases where Line Runner was present without Line Dancer being present. We still recommend following the steps to upgrade to a patched version even if customers believe that their device has not been compromised. \r\n\r\nNext, follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. **When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output.** The previous steps up to and including a collection of the memory text section should be followed. In addition, we have released some Snort signatures to detect the activity on the wire including access attempts. Signatures 63139, 62949, and 45575 have been released to detect the implants or associated behaviors. Please note that the device must be set up to decrypt TLS for these signatures to be effective. \r\n\r\n\r\n* CVE-2024-20353 (ASA DOS/Reboot) - 3:63139 \r\n* \u2018Line Runner\u2019 \u2013 Persistence Mechanism Interaction \u2013 3:62949 \r\n* \u2018Line Dancer\u2019 \u2013 In-Memory Only Shellcode Interpreter Interaction \u2013 3:45575 \r\n* Note that this signature was originally built to detect an unrelated CVE but it also detects Line Dancer interaction \r\n\r\nIf your organization does find connections to the provided actor IPs and the crash dump functionality has been altered, please open a case with Cisco TAC. \r\n\r\n## **UAT4356 Infrastructure**\r\n\r\nKey components of the actor-controlled infrastructure used for this operation had an interesting overlap of SSL certificates which match the below pattern while also appearing as an ASA, during the same period, to external scanning engines such as Shodan and Censys as reported by the CPE data on the same port as the noted SSL certificate. The SSL certificate information suggests that the infrastructure is making use of an OpenConnect VPN Server (https://ocserv.openconnect-vpn.net) through which the actor appeared to be conducting actions on target. \r\n\r\nCertificate Pattern: \r\n :issuer = O=ocserv,CN=ocserv VPN \r\n :selfsigned = true \r\n :serial = 0000000000000000000000000000000000000002 \r\n :subject = O=ocserv,CN=ocserv VPN \r\n :version = v3 \r\n\r\nCPE identifiers: \r\n cpe:2.3:a:cisco:http:*:*:*:*:*:*:*:* \r\n cpe:2.3:h:cisco:adaptive\\_security\\_appliance:*:*:*:*:*:*:*:* \r\n cpe:2.3:o:cisco:adaptive\\_security\\_appliance\\_software:*:*:*:*:*:*:*:* \r\n\r\n## **MITRE TTPs**\r\n\r\nThis threat demonstrates several techniques of the MITRE ATT&CK framework, most notably: \r\n\r\n\r\n* Line Runner persistence mechanism (T1037), \r\n* The reboot action via CVE-2024-20353 (T1653), \r\n* Base64 obfuscation (T1140), \r\n* Hooking of the processHostScanReply() function (T0874), \r\n* Disabling syslog and tampering with AAA (T1562-001), \r\n* Injection of code into AAA and Crash Dump processes (T1055) \r\n* Execution of CLI commands (T1059), \r\n* Bypassing of the AAA mechanism (T1556), \r\n* Removal of files after execution (T1070-004), \r\n* HTTP interception for C2 communications (T1557), \r\n* HTTP C2 (T1071-001), \r\n* HTTP C2 one-way backdoor (T1102-003), \r\n* Data exfiltration over C2 (T1041), \r\n* Network sniffing (T1040) \r\n\r\n## **Coverage**\r\n\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. \r\n\r\nUmbrella, Cisco's secure internet gateway (SIG) blocks devices from connecting to malicious IPs. Sign up for a free trial of Umbrella here. \r\n\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall Management Center. \r\n\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 45575, 62949 and 63139. \r\n\r\n## **Indicators of Compromise (****IOCs****)**\r\n\r\nThere are several known indicators of compromise that defenders can look for when assessing whether their ASA device has been compromised as a result of this attack, as outlined earlier in this post. For example, if any gaps in logging or any recent unexpected reboots are observed, this should be treated as suspicious activity that warrants further investigation. Also, below is a list of IP addresses we identified as having been used by UAT4356. Please note that some of these IPs are part of publicly known anonymization infrastructure and not directly controlled by the attackers themselves. If your organization does find connections to the provided actor IPs and the crash dump functionality has been altered, please open a case with Cisco TAC. \r\n\r\n### **Likely Actor-Controlled Infrastructure:**\r\n\r\n192.36.57[.]181 \r\n185.167.60[.]85 \r\n185.227.111[.]17 \r\n176.31.18[.]153 \r\n172.105.90[.]154 \r\n185.244.210[.]120 \r\n45.86.163[.]224 \r\n172.105.94[.]93 \r\n213.156.138[.]77 \r\n89.44.198[.]189 \r\n45.77.52[.]253 \r\n103.114.200[.]230 \r\n212.193.2[.]48 \r\n51.15.145[.]37 \r\n89.44.198[.]196 \r\n131.196.252[.]148 \r\n213.156.138[.]78 \r\n121.227.168[.]69 \r\n213.156.138[.]68 \r\n194.4.49[.]6 \r\n185.244.210[.]65 \r\n216.238.75[.]155 \r\n\r\n### **Multi-Tenant Infrastructure:**\r\n\r\n5.183.95[.]95 \r\n45.63.119[.]131 \r\n45.76.118[.]87 \r\n45.77.54[.]14 \r\n45.86.163[.]244 \r\n45.128.134[.]189 \r\n89.44.198[.]16 \r\n96.44.159[.]46 \r\n103.20.222[.]218 \r\n103.27.132[.]69 \r\n103.51.140[.]101 \r\n103.119.3[.]230 \r\n103.125.218[.]198 \r\n104.156.232[.]22 \r\n107.148.19[.]88 \r\n107.172.16[.]208 \r\n107.173.140[.]111 \r\n121.37.174[.]139 \r\n139.162.135[.]12 \r\n149.28.166[.]244 \r\n152.70.83[.]47 \r\n154.22.235[.]13 \r\n154.22.235[.]17 \r\n154.39.142[.]47 \r\n172.233.245[.]241 \r\n185.123.101[.]250 \r\n192.210.137[.]35 \r\n194.32.78[.]183 \r\n205.234.232[.]196 \r\n207.148.74[.]250 \r\n216.155.157[.]136 \r\n216.238.66[.]251 \r\n216.238.71[.]49 \r\n216.238.72[.]201 \r\n216.238.74[.]95 \r\n216.238.81[.]149 \r\n216.238.85[.]220 \r\n216.238.86[.]24 \r\n\r\n## **Acknowledgments**\r\n\r\nCisco would like to thank the following organizations for supporting this investigation: \r\n\r\n\r\n* Australian Signals Directorate\u2019s Australian Cyber Security Centre \r\n* Black Lotus Labs at Lumen Technologies \r\n* Canadian Centre for Cyber Security, a part of the Communications Security Establishment \r\n* Microsoft Threat Intelligence Center \r\n* The UK's National Cyber Security Centre (NCSC) \r\n* U.S. Cybersecurity & Infrastructure Security Agency (CISA)", "id": "616", "event_id": "219828", "timestamp": "1714044432", "uuid": "e03f267e-103c-4c40-a9b8-83a09502db13", "deleted": false } ] } }