Flash Notice: Cisco Patches Two Zero-Day Vulnerabilities

overview

Nation-state threat actors are currently exploiting two zero-day vulnerabilities discovered in Cisco firewalls. Over the past five months, these attacks have breached government networks across the globe. Among the targeted devices, Cisco's Adaptive Security Appliances (ASA) have been particularly exploited, leveraging zero-day vulnerabilities tracked as CVE-2024-20353 (CVSS 8.6) and CVE-2024-20359.  

The threat actor responsible for these attacks, identified as UAT4356 by Cisco and STORM-1849 by Microsoft, uses sophisticated custom malware known as Line Dancer and Line Runner. Line Dancer, operating solely in memory, executes arbitrary shellcode payloads, while Line Runner ensures persistence on compromised devices. These attacks involve intricate exploit chains, backdoors, and meticulous anti-forensic measures. The threat actors appear to be motivated by espionage and have in-depth knowledge of the targeted devices. 

Cisco has released security updates to patch CVE-2024-20353 and CVE-2024-20359. The company highly recommends that all ASA users install the updates as soon as possible. However, patching the vulnerabilities is only the first step in mitigating this threat, as the means of initial access by the threat actor still remains unknown. Organizations should monitor system logs for signs of compromise and strengthen authentication mechanisms to prevent unauthorized access. 

avertium's recommendationS

• CVE-2024-20353 – For patch guidance, please see Cisco’s Advisory.  
• CVE-2024-20359 – For patch guidance, please see Cisco’s Advisory.  

INDICATORS OF COMPROMISE (IoCs)

Actor Controlled Infrastructure (IPs) 

• 192.36.57[.]181  
• 185.167.60[.]85  
• 185.227.111[.]17  
• 176.31.18[.]153  
• 172.105.90[.]154  
• 185.244.210[.]120  
• 45.86.163[.]224  
• 172.105.94[.]93  
• 213.156.138[.]77  
• 89.44.198[.]189  
• 45.77.52[.]253  
• 103.114.200[.]230  
• 212.193.2[.]48  
• 51.15.145[.]37  
• 89.44.198[.]196  
• 131.196.252[.]148  
• 213.156.138[.]78  
• 121.227.168[.]69  
• 213.156.138[.]68  
• 194.4.49[.]6  
• 185.244.210[.]65  
• 216.238.75[.]155   

Multi-Tenant Infrastructure (IPs)  

• 5.183.95[.]95  
• 45.63.119[.]131  
• 45.76.118[.]87  
• 45.77.54[.]14  
• 45.86.163[.]244  
• 45.128.134[.]189     
• 89.44.198[.]16  
• 96.44.159[.]46  
• 103.20.222[.]218  
• 103.27.132[.]69  
• 103.51.140[.]101  
• 103.119.3[.]230  
• 103.125.218[.]198  
• 104.156.232[.]22  
• 107.148.19[.]88  
• 107.172.16[.]208  
• 107.173.140[.]111  
• 121.37.174[.]139  
• 139.162.135[.]12  
• 149.28.166[.]244  
• 152.70.83[.]47  
• 154.22.235[.]13  
• 154.22.235[.]17  
• 154.39.142[.]47   
• 172.233.245[.]241  
• 185.123.101[.]250  
• 192.210.137[.]35   
• 194.32.78[.]183  
• 205.234.232[.]196   
• 207.148.74[.]250  
• 216.155.157[.]136  
• 216.238.66[.]251  
• 216.238.71[.]49  
• 216.238.72[.]201  
• 216.238.74[.]95  
• 216.238.81[.]149  
• 216.238.85[.]220  
• 216.238.86[.]24   

How Avertium is Protecting Our CUSTOMERS

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
  • Risk Assessments 
  • Pen Testing and Social Engineering  
  • Infrastructure Architecture and Integration  
  • Zero Trust Network Architecture 
  • Vulnerability Management 

SUPPORTING DOCUMENTATION