Cisco ASA Firewall Breach: What to Do When Security Is a Target

Zscaler Blog

Cisco ASA Firewall Breach: What to Do When Security Is a Target

The Year of the Dragon has seen some notable events so far: a total eclipse, Facebook's 20th anniversary, and another Taylor Swift streaming record. But 2024 has also become the Year of the Hardware Vulnerability, with multiple VPNs and firewalls suffering zero-day vulnerabilities that bad actors are actively exploiting.

On April 24, Cisco issued a warning that a nation-state supported threat actor had compromised its Adaptive Security Appliances (ASA). ASA integrates a firewall and VPN with other security features. This campaign, known as ArcaneDoor, involved the exploitation of two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) that targeted government networks worldwide.

The threat actor deployed two backdoors:

• Line Dancerallowed them to run custom malware in the memory of network appliances, spy on network traffic, and steal data.
• Line Runnergave them persistent access to target devices, even after reboots or updates.

As of this writing, the initial attack vector is unknown. This hacking campaign may be targeting devices other than the ASA, exploiting other unknown flaws to access and exploit the Cisco ASA vulnerability.

Another day, another CVE

Cisco's disclosure and warning about the ArcaneDoor hacking campaign comes at a time when critical CVEs have been identified for Ivanti, SonicWall, Fortinet, Palo Alto Networks, and other CiscoVPN solutions.

This recurring pattern highlights a concerning trend: threat actors are specifically targeting security appliances like firewalls and VPNs, exploiting their vulnerabilities in an attempt to gain access to the very environments they are designed to protect. These attacks indicate that the issue is not limited to any one vendor. Rather, it is the underlying legacy architecture of the devices that makes them lucrative targets.

Decoding the architectural flaws

The big question on security and network architects' minds today: why are perimeter-based security and hub-and-spoke network architecture susceptible to attacks? Decades ago, firewalls and VPNs were vital parts of an organization's security.Employees mainly worked in offices, there were no smart lights or smart printers, and sophisticated cyberattacks on employees were more fiction than reality. Today's complex, advanced cyberattacks weren't yet widespread.

Today's organizations are highly distributed and dynamic. The internet is the corporate network, with users, workloads, and IoT/OT devices connecting from various locations. By design, firewalls and VPNs have public-facing IP addresses that sit on the public internet so authorized users can traverse the web and find the entry points into the organization's environment.

This architectural flaw is where the problem lies: anyone, including threat actors, can discover these entry points. Even more concerning, everything within a traditional network is considered "trusted." This enables threat actors to establish a foothold in the network and move laterally, compromising the entire environment.

How to protect yourself with zero trust security

The best defense against zero-day attacks is to embrace zero trust security. Zero trust architecture is inherently different from traditional architectures that rely on firewalls and VPNs. Based on the principle of least privilege, it minimizes the internal and external attack surface, terminates and fully inspects all connections, and establishes one-to-one connectivity between authenticated users and applications without exposing the enterprise network.

An effective zero trust approach drastically reduces the risk of successful exploits as well as the impact of a compromise.

A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange:

• Minimizes the attack surfaceby eliminating firewalls, VPNs, and public-facing IP addresses. It allows no inbound connections and hides applications behind a zero trust cloud.
• Stops compromiseby inspecting all traffic, including encrypted traffic, at scale. This enables policy enforcement and real-time threat prevention.
• Eliminates lateral threat movementby connecting entities to individual IT resources instead of the entire network.
• Blocks data lossby enforcing policies across all potential leakage paths, including encrypted traffic. This ensures the protection of data in motion, at rest, and in use.

Best practices to protect against zero-day attacks

The Zscaler ThreatLabz research team recommends these best practices to protect your organization against exploits:

• Minimize the attack surface.Make applications (including vulnerable VPNs) invisible to the internet, ensuring that attackers cannot gain initial access.
• Prevent initial compromise.Inspect all traffic inline to automatically stop zero-day exploits, malware, or other sophisticated threats.
• Enforce least-privileged access.Restrict permissions for users, traffic, systems, and applications with identity and context, ensuring only authorized users can access named resources.
• Block unauthorized access.Use strong multifactor authentication (MFA) to validate user access requests.
• Eliminate lateral movement.Connect users directly to applications, not the network, to limit the blast radius of a potential incident.
• Shut down compromised users and insider threats.Enable inline inspection and monitoring to detect compromised users with access to your network, private apps, and data.
• Stop data loss.Inspect data in motion and at rest to prevent active data theft during an attack.
• Deploy active defenses.Use deception technology with decoys, and perform daily threat hunting to derail and stop attacks in real time.
• Test your security posture.Obtain regular third-party risk assessments and conduct purple team activities to identify and fix gaps in your security. Ask your service providers and technology partners to do the same, and share findings with your security team.

The road ahead

The increased targeting of VPNs and firewalls by threat actors highlights the flaws of traditional perimeter-based architectures. With lucrative gains to be had, these attacks will continue. Organizations must prioritize patching critical vulnerabilities as soon as possible.

However, to truly stay ahead of zero-day attacks, adopting zero trust is the most effective approach. A zero trust architecture will enable organizations to minimize the attack surface, enforce strict access controls, and continuously monitor and authenticate users and devices. This proactive approach to security will help mitigate zero-day risks and ensure a more robust, resilient defense in the future.

References

• https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/
• https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

If you're concerned about how these vulnerabilities could affect your organization, contact us at [email protected]for a free external attack surface assessment as well as an expert consultation on how you can migrate from legacy architectures to zero trust.

Explore more Zscaler blogs

Get the latest Zscaler blog updates in your inbox