The Australian Cyber Security Centre (ACSC) has issued an alert to industry and partners after becoming aware of activity impacting Cisco ASA devices in Australia.
After a customer raised a concern earlier this year, an investigation by Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos found a previously unknown actor who had deployed two backdoors used to conduct malicious actions on-target, including configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
Cisco has subsequently released three CVEs relating to the ASA device compromises:
- CVE-2024-20353, which applies to management and VPN web servers for Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software, and could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly resulting in denial of service (DOS).
- CVE-2024-20359, which applies to a legacy capability that allowed for the preloading of VPN clients and plug-ins. and that has been available in Cisco ASA Software and Firepower Threat Defense (FTD) Software and could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) with root-level privileges.
- CVE- 2024-20358, which applies to Cisco ASA restore functionality available in Cisco ASA Software and Firepower Threat Defense (FTD) Software and could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) with root-level privileges.
The ACSC strongly encourages entities to take immediate action to ensure affected devices are patched and investigate for potential compromise.
