CISA: Cisco and CrushFTP vulnerabilities need urgent patches

The top U.S. cybersecurity agency is ordering all federal civilian agencies to patch three high-profile vulnerabilities in the next week because they are being exploited by hackers. 

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added two Cisco product vulnerabilities — CVE-2024-20353 and CVE-2024-20359 — as well as one vulnerability affecting popular file transfer tool CrushFTP. 

Unlike most additions to the Known Exploited Vulnerabilities catalog, CISA gave federal agencies until May 1 to patch the vulnerabilities — the type of deadline the agency only takes with bugs considered urgent.

Cisco released advisories and a blog post about the two vulnerabilities on Wednesday, warning that they are being exploited as part of a campaign by state-sponsored threat actors. 

The vulnerabilities affect Cisco’s Adaptive Security Appliances (ASA) and the related Firepower Threat Defense (FTD) software suite — lines of firewall and VPN devices built to protect corporate networks and data centers. Cisco said a customer reached out earlier this year about issues with ASA devices, and the company commenced an investigation alongside Microsoft security officials. 

“We identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center, Cisco said. The group is also known to researchers as ArcaneDoor. 

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco said, noting that researchers  still do not know the initial intrusion method.

“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement” the company said.

Cisco declined to say what country was behind the incident but Wired, which first reported on the campaign, said sources told them it “appears to be aligned with China's state interests.”

Cisco added that it uncovered a sophisticated attack campaign that was used to implant custom malware “across a small set of customers.”

The attackers conducted most of their activity between December 2023 and early January 2024 — but Cisco  found that the hackers were testing and developing the methods  as early as July 2023. 

Cisco said CISA and the cybersecurity agencies of Australia, United Kingdom and Canada were involved in the investigation. U.K. officials said in their own advisory that a “hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself.”

The company added that the attacks are part of a larger trend — spotlighted by other prominent security firms this week — of state-backed espionage actors targeting edge devices like VPNs and, in this instance, firewalls. 

“Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective,” Cisco said. 

More than 2,750 of CrushFTP exposures are in US

CISA also added CVE-2024-4040 to the KEV list on Wednesday — a vulnerability that has caused alarm among security experts due to how widely used the Crush file transfer service is. 

Cybersecurity research firm Censys said it has  found over 2,750 CrushFTP exposures within the United States, making up nearly half of all exposures worldwide.

If successfully exploited, the vulnerability would allow an unauthenticated actor to potentially access any sensitive data a customer managed with the FTP client and achieve full system compromise, Censys said. 

Censys added that it was concerned because the number of exposed CrushFTP observed one week ago has largely not changed, “suggesting that either instances are being remediated and left online, or there may not be broader action taken in response to this vulnerability yet.”

The bug was announced by CrushFTP over the weekend and incident response firm CrowdStrike said it  has “observed this exploit being used in the wild in a targeted fashion.” CrowdStrike noted that “multiple U.S. entities were affected” and said the actors behind the exploitation were doing “intelligence-gather activity” and were “possibly politically motivated.”

The incident immediately reignited concern of a repeat of situations faced in 2023 — where the Clop ransomware gang exploited issues in two popular file transfer tools to steal data from thousands of organizations around the world.