Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous.

Chahak Mittal, Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

April 25, 2024

5 Min Read

Source: Rawf8 via Alamy Stock Photo

COMMENTARY

Imagine you're standing in a bustling city, surrounded by the symphony of commerce. The exchange of goods and the flow of transportation are all around you. This is the heartbeat of our global economy. But what would happen if this heartbeat were to be disrupted? If the very lifeblood of our interconnected world were to falter — or worse, come to a grinding halt?

The consequences would be catastrophic. Imagine empty shelves in grocery stores, gas stations running out of fuel, and hospitals unable to get the supplies they need. Imagine widespread panic and social unrest.

This is not just a hypothetical scenario. It's a real threat we need to take seriously. Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous. Logistics is the backbone of our global economy. It's the process that keeps the world's shelves stocked and the wheels of commerce turning.

**Cyberattacks on Logistics May Have Severe Ramifications**

Let's first discuss why cyberattacks on logistics are so concerning.

Remember back to the haunting early days of the pandemic. Lockdown measures paralyzed entire nations, factories fell silent, and transportation came to a grinding halt. The repercussions were profound, as essential goods faced severe delays, and shortages left many in dire straits. The fabric of our interconnected world was put to the test, and the challenges were immense.

Four years later, we see news headlines about cyberattacks on Ukraine's logistics and its global impact. Think for a moment about the unimaginable consequences if a cyberattack were to disrupt logistics on a larger scale than COVID-19 or even exceed its impact.

It is unsettling that a nation could be brought to its knees not by an army or weapons but by code on a computer. This prospect cannot be ignored, especially given that the transport and logistics industry is undergoing a digital transformation.

Companies are increasingly using digitalization tools to streamline all processes, from warehouse inventory management to vehicle tracking. This is a good thing, of course. Digitalization can help to improve efficiency, reduce costs, and improve customer service. But there is a dark side to digitalization. The more digitized a company is, the more vulnerable it is to cyberattacks.

**An Expanded Battlefield**

Let's now delve into the second part of our journey: understanding how cyberattacks on logistics can be weaponized. Throughout history, proper logistics have always been the secret weapon behind any victorious endeavor, whether in war or other ventures. From the days of the Civil War, where horses, mules, and wagons provided armies the food, equipment, and ammunition they needed, to the modern era with colossal military operations with intricate supply chains, logistics have always been the beating heart of success.

Now the battlefield has expanded into the digital realm. The logistics that have propelled economies and nations forward are now vulnerable to a new kind of adversary –— one that wields not swords and shields, but lines of code and malicious intent.

But let's go even deeper. What if these cyberattacks on logistics were not just the work of lone hackers seeking chaos? What if they were orchestrated by state actors with strategic intent? The Russia-Ukraine conflict has demonstrated the potential of such scenarios. The cyber offensive aimed at Ukraine reached far beyond its borders, affecting global supply chains and sending shockwaves through economies. 

In this ever-evolving digital landscape, a new kind of arsenal is being amassed in the shadows: stockpiled zero-day vulnerabilities. Just as nations once accumulated weapons to safeguard their sovereignty, they now amass vulnerabilities as digital ammunition. These zero-day vulnerabilities, arcane exploits unknown even to software creators, have become potent tools of cyber warfare.

Imagine the power of a nation armed with a stockpile of these vulnerabilities. It can strike silently, crippling logistical infrastructures without firing a single shot. This reality becomes more tangible as each day passes. The Russia-Ukraine conflict showcases this new arsenal's alarming potential, serving as a reminder that our reliance on interconnected logistics is both a strength and a vulnerability.

**Fortifying Our Defenses**

So, where do we go from here? How can we fortify our logistical arteries against these emerging threats? Just as the strength of a nation's military once depended on its ability to ensure a steady flow of supplies to the frontlines, today's battles are won by safeguarding the flow of data, goods, and services.

The lessons of history remain relevant — a robust logistics network is not only essential for prosperity, but it is also a fundamental pillar of security. We must invest in cyber-defense strategies that mirror the importance we place on physical defense. Collaboration between governments, industries, and international partners is paramount. The private sector, too, holds a pivotal role.

As we embrace digitalization, we must do so with cybersecurity at the forefront. Companies must not only prioritize efficiency but also fortify their digital infrastructure against potential attacks. 

Strong alliances, collaborative diplomacy, and international cooperation are essential to our defense strategy. Just as alliances between nations bolster our military might, alliances between industries and governments can fortify cybersecurity. By harnessing the power of cyber and soft power in harmony, we can navigate the intricate dance of modern warfare.

The time to act is now. We stand at a crossroads where the path of progress intersects with the shadows of uncertainty. The interconnectedness that has fueled our global economy is also its Achilles' heel. Cyberattacks on logistics are not a distant possibility; they are a sobering reality.

The disruption of our supply chains, the paralysis of our economies — these are the stakes we face. But history has shown us that challenges can become catalysts for innovation. We can forge a new paradigm, one where technology and diplomacy converge to safeguard our way of life.

It is a future where alliances are not just forged on battlefields, but in virtual boardrooms and digital summits, and where the strength of a nation's cybersecurity is as integral to its defense strategy as its military might.

**About the Author(s)**

Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

Chahak Mittal is a Certified Information Systems Security Professional (CISSP) and Cybersecurity Governance, Risk, and Compliance Manager at Universal Logistics. She is a cybersecurity leader deeply committed to knowledge sharing and community engagement. Through her roles as a Judge at Globee Awards, Major League Hacking (MLH) Hackathons, and as a dedicated cybersecurity instructor volunteer in the Microsoft TEALS Program, she has actively contributed to the cybersecurity ecosystem. Chahak's active involvement in organizations such as the Information Systems Security Association and SecureWorld's Detroit Advisory Council has been instrumental in her pursuit of staying at the forefront of industry trends and challenges. Furthermore, she has channeled her insights into thought-provoking cybersecurity articles, published on SecureWorld.io, ISC2, and CyberDefense Magazine, making a meaningful contribution to the field's intellectual discourse.

Digital Blitzkrieg: Unveiling Cyber-Logistics Warfare

Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign

By Uzair Amir
The role of Network Detection and Response (NDR) in cybersecurity. Learn how NDR tools empower organizations to tackle evolving threats effectively.
This is a post from HackRead.com Read the original post: NDR in the Modern Cybersecurity Landscape

In today’s information age, businesses are increasingly reliant on interconnected networks and cloud infrastructures, and **protecting digital assets against cyber threats** has become a paramount concern.

Network Detection and Response (NDR) is a critical component in the arsenal of cybersecurity tools, offering advanced capabilities to monitor, analyze, and respond to threats traversing network environments.

As organizations confront the complexities of modern cyber threats, understanding the role and significance of NDR is essential for bolstering their cybersecurity posture.

****Understanding NDR in Cybersecurity****

Modern cybersecurity uses the concept of Network Detection and Response (NDR) as an active approach to fortifying network defences against threats. But what exactly is NDR in cybersecurity, and how does it function within the broader security landscape?

**What is NDR in cyber security?** NDR, also known as network detection and response, covers a set of cybersecurity techniques designed to monitor and analyze network traffic for potential security threats.

Unlike traditional security measures that focus primarily on endpoint protection or perimeter defence, NDR operates within the network infrastructure, using advanced detection techniques such as artificial intelligence and machine learning to identify anomalous behaviour and potential indicators of compromise (IOCs).

NDR serves as an active defence mechanism, providing organizations with real-time visibility into their network traffic and enabling rapid response to threats. By continuously monitoring network activity and analyzing patterns, NDR solutions empower security teams to detect and neutralize potential threats before they can cause huge harm or compromise sensitive data.

****The Purpose of NDR****

The primary objective of NDR is to enhance network visibility and security by providing organizations with the means to detect and respond to security incidents in a timely and effective manner. But what specific purposes does NDR serve within cybersecurity, and how does it contribute to threat mitigation?

****Early Threat Detection****

By optimizing network visibility, NDR enables organizations to identify malicious activity and **indicators of compromise (IOCs)** at an early stage. Through the analysis of network traffic data, security teams can detect unauthorized activity, unusual communication patterns, and anomalous behaviours, allowing them to take proactive measures to neutralize threats before they escalate.

****Rapid Incident Response****

Enhanced network visibility facilitated by NDR enables real-time monitoring and analysis of network traffic, empowering organizations to respond swiftly to security incidents as they occur. By tracking the source, extent, and impact of an event, security teams can implement prompt remediation measures to mitigate its effects and minimize potential damage.

****Comprehensive Threat Analysis****

Increased network visibility provided by NDR facilitates in-depth examination of network data, enabling organizations to gain insights into potential threat proliferation. By analyzing network communication patterns, traffic flows, and data transfers, security teams can identify malicious behaviour, detect malware infections, and uncover hidden threats, thereby enhancing their understanding of attacker tactics, techniques, and procedures (TTPs).

For organizations seeking to strengthen their defences against emerging threats, selecting the right NDR solution is important. While several vendors offer NDR capabilities, a few stand out for their innovative features and comprehensive security offerings.

****Arctic Wolf****

As a managed NDR provider, Arctic Wolf offers a suite of security solutions aimed at identifying, tracking, and mitigating cyber threats. With its Security Operations Center-as-a-Service (SOC-as-a-Service), Arctic Wolf helps organizations detect security flaws, proactively mitigate risks, and prioritize remediation efforts.

****Attivo Networks****

Leveraging deception methods, Attivo Networks’ threat defence platform detects and neutralizes post-compromise threats, including in-network threat activity and lateral movement by attackers. Through its ThreatDirect and BOTsink components, Attivo Networks extends network deception tactics to cloud, remote distributed, and micro-segmented systems, providing organizations with enhanced threat detection capabilities.

****Stellar Cyber** **

Stellar Cyber is an NDR solution that enables organizations to safeguard their data and maximize the effectiveness of their security investments. By aggregating and analyzing log data, it helps organizations prioritize security alerts for investigation, providing knowledge to enhance their security posture.

****Darktrace****

Built on self-learning cyber-AI, Darktrace’s Enterprise Immune System employs advanced AI and machine-learning techniques to detect attacks and insider threats. Without relying on rules or signatures, Darktrace identifies subtle indicators of sophisticated attacks, providing organizations with comprehensive threat detection capabilities.

****Emerging Trends in NDR****

Several new trends are shaping the future of network detection and response. These trends reflect the nature of cyber threats and the need for innovative approaches to combating them effectively.

****AI-Powered Threat Detection****

As cyber threats become more sophisticated and difficult to detect, NDR solutions are increasingly using artificial intelligence (AI) and machine learning (ML) algorithms to enhance threat detection capabilities. By analyzing vast amounts of network data and identifying patterns indicative of malicious activity, AI-powered NDR solutions can detect and respond to threats in real-time, even as attackers evolve their tactics.

****Behavioral Analytics****

Traditional signature-based detection methods are often ineffective against zero-day attacks. To address this challenge, NDR solutions are incorporating behavioural analytics techniques to identify anomalous behaviour and deviations from normal network patterns. By establishing baselines of “normal” network behaviour, NDR solutions can detect and alert suspicious activities that may indicate a security threat.

****Cloud-Native NDR****

With the widespread adoption of cloud computing and hybrid infrastructures, NDR solutions are evolving to provide native support for cloud environments. Cloud-native NDR solutions offer easy integration with cloud platforms, enabling organizations to monitor and protect their cloud-based assets effectively. By extending visibility and threat detection capabilities to the cloud, these solutions help organizations maintain a consistent security posture across their entire infrastructure.

****Threat Intelligence Integration****

Integrating threat intelligence feeds into NDR solutions enhances their ability to identify and respond to threats. By using up-to-date threat intelligence data from reputable sources, NDR solutions can prioritize alerts and provide insights to security teams. This approach enables organizations to stay ahead of new threats and mitigate potential risks before they escalate.

****Automation and Orchestration****

The growing cyber threats and limited security resources, as well as automation and orchestration, are becoming essential components of NDR solutions. By automating repetitive tasks and orchestrating incident response processes, NDR solutions enable security teams to streamline operations and respond to threats more effectively. This allows organizations to maximize the efficiency of their security operations and focus their resources on high-priority tasks.

****Market Dynamics and Future Trends****

The network detection and response market continues to change rapidly, driven by new technologies and new threats. Reports from Quadrant Knowledge Solutions offer insights into market dynamics and future trends, enabling organizations to scale through the NDR security landscape and select the most suitable platform for their needs.

By harnessing the insights and capabilities offered by NDR solutions, organizations can strengthen their cybersecurity posture and ensure protection for their digital assets. Integrating NDR into their security stack empowers organizations to detect, analyze, and respond to threats effectively, mitigating potential risks and safeguarding against cyber attacks.

****Conclusion****

Network Detection and Response (NDR) plays a vital role in the modern cybersecurity space, offering organizations the ability to actively identify, analyze, and mitigate security threats in real-time. By providing enhanced network visibility and threat detection capabilities, NDR solutions empower security teams to detect and respond to the latest threats swiftly and effectively.

As organizations continue to confront the complexities of modern cyber threats, understanding the need for NDR and selecting the right solution is **essential for boosting their cybersecurity defences**. By using the insights and capabilities offered by NDR solutions, organizations can enhance their resilience against cyber attacks and safeguard their digital assets.

NDR in the Modern Cybersecurity Landscape

By Waqas
Using Google Chrome? Update your browser to the latest version right now!
This is a post from HackRead.com Read the original post: Google Patches Critical Chrome Vulnerability and Additional Flaws

Google Chrome users beware! A critical vulnerability (CVE-2024-4058) has been patched in the latest update (version 124). This flaw could allow attackers to take control of your system.

Google addressed a critical vulnerability (CVE-2024-4058) in its Chrome web browser on Wednesday, April 24th, 2024. This flaw resides within the ANGLE graphics layer engine and carries a “critical” severity rating, indicating its potential for severe exploitation.

While the critical CVE-2024-4058 garnered the most attention, Google’s Chrome update (version 124) also patched two additional high-severity vulnerabilities:

*   **CVE-2024-4059:** This vulnerability is classified as an out-of-bounds read within the V8 JavaScript engine. An out-of-bounds read allows attackers to access memory locations they shouldn’t, potentially revealing sensitive information.
*   **CVE-2024-4060:** This vulnerability is a use-after-free issue in the Dawn component. Use-after-free vulnerabilities can lead to crashes or potentially code execution depending on how they are exploited.

****The Importance of Updating****

While the specific details and exploitability of CVE-2024-4059 and CVE-2024-4060 are not yet fully public, it’s important to update Chrome regardless. A high-severity rating suggests these vulnerabilities could also be weaponized by attackers, so patching promptly remains the best course of action.

Jason Soroko, Senior Vice President of Product at Sectigo commented on the update stating, _“_CVE-2024-4058, a Type Confusion in ANGLE, is a vulnerability categorized as critical because it could allow remote code execution (RCE), enabling attackers to put malware onto the victim’s device. This latest vulnerability is a bad one for sure, and therefore it would be critical to patch this immediately._”_

****How to Protect Yourself****

The safest course of action is to update your Google Chrome browser immediately. Google has released Chrome version 124 which addresses this vulnerability alongside other security fixes. Here’s how to update Chrome:

*   **Windows & Mac:** Open Chrome, click the three vertical dots in the top right corner, go to “Help” and then “About Chrome.” Chrome will automatically check for updates and install them if available.
*   **Linux:** The update process for Linux may vary depending on your distribution. Consult your distribution’s documentation for specific update instructions.

Updating to Chrome version 124 protects you from these critical, high-severity, and potentially dangerous vulnerabilities. For additional technical details and a full list of changes in this build visit the Log section.

1.  Critical Chrome Update Counters Spyware Vendor’s Exploits
2.  Google Chrome to Mask User IP Addresses to Protect Privacy
3.  Fake Chrome Browser Update Installs NetSupport Manager RAT
4.  CISA Warns of Chrome and Excel Parsing LibraryExploitable Flaws
5.  Fantom Foundation Suffers Wallet Hack Via Google Chrome 0-Day

Google Patches Critical Chrome Vulnerability and Additional Flaws

By Deeba Ahmed
Popular File Transfer Software Hit by Zero-Day Exploit: Millions Potentially Exposed - Install Patches Right Now!
This is a post from HackRead.com Read the original post: Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

A critical zero-day vulnerability in CrushFTP, a popular file transfer software, allows attackers to download sensitive system files. This puts millions of users at risk! Learn how to protect yourself from this exploit and secure your file transfers.

Attention file transfer users! A recently discovered zero-day exploit in CrushFTP, a popular enterprise file transfer software solution, has sent security researchers scrambling. This critical vulnerability could allow attackers to download sensitive system files, potentially compromising the security of millions of users worldwide.

****What is CrushFTP and Why Should You Care?****

CrushFTP is a widely used software program that enables secure file transfers between computers and servers, offering functionalities like FTP, SFTP, FTPS, WebDAV, and more. However, the recent discovery of a zero-day exploit raises concerns about the potential for unauthorized access and data breaches, making businesses/organizations using it for data exchanges vulnerable.

****How Does the Exploit Work?****

The vulnerability (CVE-2024-4040), identified by Simon Garrelou of Airbus CERT, allows attackers to bypass the software’s virtual file system (VFS) restrictions and download system files that are typically off-limits. This unauthorized access could lead to the theft of sensitive data, the installation of malicious software, and disruption of file transfer operations or server inoperability.

****Who is Affected?****

The exact number of affected users is unknown, but CrushFTP boasts a significant user base across various industries. Organizations of all sizes, from small businesses to large enterprises, could be at risk if they haven’t applied the latest security patch, details of which can be found in CrushFTP’s advisory.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0,” the advisory read.

It must be noted that customers operating CrushFTP instances within a demilitarized zone (DMZ) are safe from the attacks. The flaw is yet to receive a CVE identifier.

Cybersecurity firm CrowdStrike reported an exploit for the CrushFTP Zero-Day flaw targeting U.S. entities in what it believes is a politically motivated intelligence-gathering activity.

However, CrushFTP’s founder, Ben Spink, claims the company hasn’t received any user complaints as yet whereas the vulnerability was patched within hours of identification.

To update CrushFTP to the latest version v11.1.0, log in to the dashboard, click the About tab, and click Update> Update Now. Wait 5 minutes for files to download, unzip, and copy, then auto-restart CrushFTP.

1.  WinRAR users update software as 0-day vulnerability is found
2.  WeTransfer phishing attack spoofs file-sharing to steal credential
3.  APT Winter Vivern Exploits Roundcube 0-Day against European Entities

Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy.
Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit

Network Threats: A Step-by-Step Attack Demonstration

A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.
Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).
"

State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#zero_day