Cisco: Espionage Campaign Exploited Two Zero-Day Firewall Vulnerabilities

The flaws impact Cisco Adaptive Security Appliance and Firepower Threat Defense software and have been exploited in a state-sponsored campaign against global governments as far back as November, the company says.

Cisco Systems disclosed two zero-day firewall vulnerabilities Wednesday that the tech giant said have been exploited by a state-sponsored attacker in an espionage campaign targeting global governments as far back as November.

The company released patches for the flaws, which impact its Adaptive Security Appliance and Firepower Threat Defense software.

[Related: 5 Things To Know About The Latest Firewall, VPN Attacks]

Cisco’s Talos threat intelligence team disclosed details Wednesday from its investigation into the attacks, “all of which involved government networks globally.”

Talos dubbed the campaign “ArcaneDoor” and said it has been carried out by a previously unknown state-backed threat actor, now tracked as UAT4356.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Talos researchers said in the post.

The investigation began early this year and included several outside intelligence partners, according to Talos.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” the researchers wrote.

The investigation discovered “actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024,” Talos researchers said.

The two zero-day vulnerabilities (tracked at CVE-2024-20353 and CVE-2024-20359) have received a severity rating of “high.”

“Cisco strongly recommends that all customers upgrade to fixed software versions,” the company said in an advisory Wednesday.

Cisco has referred to its Adaptive Security Appliance software as the “core” operating system for ASA devices, and the software is leveraged to deliver “enterprise-class firewall capabilities” through both physical and virtual appliances.

Last week, Talos researchers disclosed it has been monitoring a “global increase in brute-force attacks” against targets including VPN services. “Known affected services” in the attack campaign included Cisco’s Secure Firewall VPN offering as well as VPN services from Check Point Software Technologies, Fortinet and SonicWall and Ubiquiti, according to Talos.