Cisco ASA and FTD Devices Targeted by Nation-State Group UAT4356 Using Zero-Day Flaws

Executive Summary

In April 2024, Cisco disclosed that a nation-state threat actor, which it tracks as UAT4356 (also known as STORM-1849 by Microsoft), was exploiting two zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software. The targeted flaws, CVE-2024-20353 and CVE-2024-20359, were used in a sophisticated espionage campaign aimed at government and critical infrastructure entities. The attackers chained these vulnerabilities to gain initial access, execute code, and establish persistent backdoors on critical network infrastructure. This incident highlights the ongoing trend of advanced persistent threats (APTs) targeting edge network devices as a primary vector for infiltrating secure networks.

Threat Overview

The threat actor UAT4356 demonstrated a high degree of sophistication, conducting highly targeted attacks. The campaign's objective appears to be espionage, focusing on organizations of strategic importance. By compromising edge security appliances like Cisco ASA and FTD, the attackers gain a powerful foothold within the target network, allowing them to monitor, intercept, and exfiltrate traffic, as well as pivot to other internal systems.

Technical Analysis

The attack chain involved two key vulnerabilities:

• CVE-2024-20353 (Persistent Local Code Execution): This vulnerability could allow an authenticated local attacker to execute arbitrary code with root privileges and have that code persist across reboots. While it requires initial access, it is a powerful tool for establishing long-term persistence.
• CVE-2024-20359 (Command Injection): This vulnerability could allow an unauthenticated remote attacker to execute arbitrary commands. This was likely used for initial access, providing the foothold needed to then exploit the local code execution flaw for persistence.

The attackers used these vulnerabilities to deploy custom malware implants, which were designed to be stealthy and maintain access even after the device was rebooted. This is a classic APT tactic for long-term intelligence gathering.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application: The actor exploited CVE-2024-20359 on internet-facing Cisco devices.
• T1068 - Exploitation for Privilege Escalation: The actor likely used CVE-2024-20353 to escalate privileges to root.
• T1543.003 - Create or Modify System Process: Windows Service: The actor established persistence by creating malicious system services or modifying existing ones.
• T1105 - Ingress Tool Transfer: The actor downloaded additional malware and tools to the compromised devices.

Impact Assessment

Compromise of a core network security device like a Cisco ASA/FTD firewall has severe consequences:

• Espionage: The primary goal of the actor was espionage, meaning sensitive government and corporate data was likely targeted and exfiltrated.
• Network Control: Full control over the firewall allows the attacker to manipulate traffic, bypass security policies, and launch further attacks on the internal network.
• Loss of Trust: A breach of the primary security boundary device erodes trust in the network's integrity and can be extremely difficult and costly to fully remediate.
• Operational Disruption: While espionage was the goal, the attacker's tools or remediation efforts could inadvertently cause network outages.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate related activity:

Detection & Response

• Review Logs: Administrators should use Cisco's guidance to review device logs for any signs of compromise, such as unexplained reboots, new user accounts, or unexpected configuration changes.
• Integrity Checks: Use Cisco's tools and guidance to perform integrity checks on the device's system image and configuration files to look for unauthorized modifications.
• Network Monitoring: Monitor traffic originating from the ASA/FTD device itself for any suspicious outbound connections that could indicate a C2 channel.

Mitigation

1. Patch Immediately: Apply the software updates provided by Cisco to all affected ASA and FTD devices. This is the only effective way to prevent exploitation. This is an application of D3FEND's Software Update technique.
2. Harden Devices: Follow Cisco's hardening guides to reduce the attack surface of your network devices. This includes disabling unnecessary services and restricting management access.
3. Network Segmentation: Implement network segmentation to limit the potential impact of a compromised edge device. An attacker who compromises a firewall should not have a direct path to critical internal assets. This is an application of D3FEND's Network Isolation technique.