VULNERA Pulse

CrushFTP — CrushFTP

CVE-2024-4040 / Added: April 24, 2024

CRITICAL CVSS 10.00 EPSS Score 0.21 EPSS Percentile 58.59

CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS).

Headlines

• April 26, 2024 - +1,400 CrushFTP servers vulnerable to CVE-2024-4040
• April 25, 2024 - Over 1,400 CrushFTP servers vulnerable to actively exploited bug
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 24, 2024 - Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs
• April 23, 2024 - CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040)
• April 23, 2024 - CVE-2024-4040: CrushFTP Users Targeted in Zero-Day Attack Campaign

Back to top ↑

Cisco — Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

CVE-2024-20353 / Added: April 24, 2024

HIGH CVSS 8.60 EPSS Score 1.18 EPSS Percentile 84.86

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition.

Headlines

• April 25, 2024 - CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog
• April 25, 2024 - Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
• April 25, 2024 - State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
• April 25, 2024 - State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 25, 2024 - Nation-State Hackers Breach Cisco Devices in "ArcaneDoor" Espionage Campaign
• April 24, 2024 - 'Sophisticated' nation-state crew exploiting Cisco firewalls
• April 24, 2024 - Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
• April 24, 2024 - Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
• April 24, 2024 - ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
• April 24, 2024 - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
• April 24, 2024 - Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms | CISA

Back to top ↑

Cisco — Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)

CVE-2024-20359 / Added: April 24, 2024

MEDIUM CVSS 6.00 EPSS Score 1.18 EPSS Percentile 84.86

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

Headlines

• April 25, 2024 - CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog
• April 25, 2024 - Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
• April 25, 2024 - State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
• April 25, 2024 - State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 25, 2024 - Nation-State Hackers Breach Cisco Devices in "ArcaneDoor" Espionage Campaign
• April 24, 2024 - 'Sophisticated' nation-state crew exploiting Cisco firewalls
• April 24, 2024 - Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
• April 24, 2024 - Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
• April 24, 2024 - ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
• April 24, 2024 - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
• April 24, 2024 - Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms | CISA

Back to top ↑

Microsoft — Windows

CVE-2022-38028 / Added: April 23, 2024

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 18.82

Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions.

Headlines

• April 25, 2024 - The private sector probably isn’t coming to save the NVD
• April 25, 2024 - CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
• April 24, 2024 - CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
• April 23, 2024 - New Microsoft Incident Response guide simplifies threat investigation |
• April 23, 2024 - Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
• April 23, 2024 - Russia's Fancy Bear Pummels Windows Print Spooler Bug
• April 23, 2024 - Russian Cyberspies Deliver 'GooseEgg' Malware to Government Organizations
• April 23, 2024 - Russian APT28 Group in New “GooseEgg” Hacking Campaign
• April 23, 2024 - Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
• April 23, 2024 - Russia-Linked Hackers Exploit Windows Zero-Day, Deploy "GooseEgg" to Hijack Networks
• April 23, 2024 - Russia's Fancy Bear attacks with print spooler malware
• April 22, 2024 - Russia-linked APT28 used tool GooseEgg for to exploit Win bug
• April 22, 2024 - Microsoft: APT28 hackers exploit Windows flaw reported by NSA
• April 22, 2024 - Microsoft: APT28 hackers exploit Windows flaw reported by NSA
• April 22, 2024 - Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials |
• Oct. 12, 2022 - Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Back to top ↑

CVE-2024-3400

CRITICAL CVSS 10.00 EPSS Score 95.36 EPSS Percentile 99.33

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 12, 2024

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Vendors Impacted: Palo Alto Networks, Paloaltonetworks

Product Impacted: Pan-Os

Quotes

• Performing a private data reset eliminates risks of potential misuse of device data
• Proof of concepts for this vulnerability have been publicly disclosed by third parties
• In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%
• Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability

Headlines

• April 26, 2024 - Palo Alto Updates Remediation for Max-Critical Firewall Bug
• April 26, 2024 - Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack
• April 25, 2024 - Siemens RUGGEDCOM APE1808 Devices Configured with Palo Alto Networks Virtual NGFW | CISA
• April 23, 2024 - Siemens Working on Fix for Device Affected by Palo Alto Firewall Bug
• April 23, 2024 - Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability
• April 21, 2024 - newsletter Round 468 by Pierluigi Paganini – INTERNATIONAL EDITION
• April 21, 2024 - Week in review: Palo Alto firewalls mitigation ineffective, PuTTY client vulnerable to key recovery attack

CVE-2024-4040

CRITICAL CVSS 10.00 EPSS Score 0.21 EPSS Percentile 58.59

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 22, 2024

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Vendor Impacted: Crushftp

Product Impacted: Crushftp

Quotes

• Fully unauthenticated and trivially exploitable
• Based on a Shodan query in a Nuclei template created by h4sh
• The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc
• On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion

Headlines

• April 26, 2024 - +1,400 CrushFTP servers vulnerable to CVE-2024-4040
• April 25, 2024 - Over 1,400 CrushFTP servers vulnerable to actively exploited bug
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 24, 2024 - Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs
• April 23, 2024 - CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040)
• April 23, 2024 - CVE-2024-4040: CrushFTP Users Targeted in Zero-Day Attack Campaign

CVE-2024-27956

CRITICAL CVSS 9.90 EPSS Score 0.04 EPSS Percentile 8.19

Actively Exploited Remote Code Execution

Published: March 21, 2024

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

Quotes

• Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code
• Since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code
• This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites
• A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites

Headlines

• April 26, 2024 - Experts warn of malware campaign targeting WP-Automatic plugin
• April 26, 2024 - Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors
• April 26, 2024 - Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites
• April 25, 2024 - WP Automatic WordPress plugin hit by millions of SQL injection attacks

CVE-2023-23397

CRITICAL CVSS 9.80 EPSS Score 92.64 EPSS Percentile 98.98

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: March 14, 2023

Microsoft Outlook Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: 365 Apps, Office, Outlook

Quotes

• Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions
• Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations
• A basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code
• While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks

Headlines

• April 24, 2024 - CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
• April 23, 2024 - Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
• April 23, 2024 - Russia's Fancy Bear Pummels Windows Print Spooler Bug
• April 23, 2024 - Russian Cyberspies Deliver 'GooseEgg' Malware to Government Organizations
• April 23, 2024 - Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
• April 22, 2024 - Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials |

CVE-2021-34527

HIGH CVSS 8.80 EPSS Score 96.69 EPSS Percentile 99.64

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: July 2, 2021

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
• NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
• UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We r...
Please see the NVD entry for the full description.

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2008, Windows Rt 8.1, Windows, Windows Server 2019, Windows 7, Windows 10, Windows Server 2012, Windows 8.1, Windows Server 2016

Quotes

• Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions
• A basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code
• While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks

Headlines

• April 24, 2024 - CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
• April 23, 2024 - Russian Cyberspies Deliver 'GooseEgg' Malware to Government Organizations
• April 23, 2024 - Russian APT28 Group in New “GooseEgg” Hacking Campaign
• April 22, 2024 - Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials |

CVE-2024-20353

HIGH CVSS 8.60 EPSS Score 1.18 EPSS Percentile 84.86

CISA Known Exploited

Published: April 24, 2024

A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.

Vendor Impacted: Cisco

Products Impacted: Adaptive Security Appliance Software, Firepower Threat Defense, Adaptive Security Appliance (Asa) And Firepower Threat Defense (Ftd)

Quotes

• Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023
• Are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)
• Utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor
• This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor
• On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion
• UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement
• ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective

Headlines

• April 25, 2024 - CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog
• April 25, 2024 - Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
• April 25, 2024 - State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
• April 25, 2024 - State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 25, 2024 - Nation-State Hackers Breach Cisco Devices in "ArcaneDoor" Espionage Campaign
• April 24, 2024 - 'Sophisticated' nation-state crew exploiting Cisco firewalls
• April 24, 2024 - Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
• April 24, 2024 - Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
• April 24, 2024 - ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
• April 24, 2024 - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
• April 24, 2024 - Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms | CISA

CVE-2022-38028

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 18.82

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Oct. 11, 2022

Windows Print Spooler Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Rt 8.1, Windows Server 2008, Windows, Windows Server 2019, Windows Server 2022, Windows 11, Windows 7, Windows 10, Windows Server 2012, Windows 8.1, Windows Server 2016

Quotes

• Is meant to provide additional data that is currently missing from NVD
• Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions
• Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions
• Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations
• Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions
• A basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code
• While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks
• Wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code

Headlines

• April 25, 2024 - The private sector probably isn’t coming to save the NVD
• April 25, 2024 - CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog
• April 24, 2024 - CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
• April 23, 2024 - New Microsoft Incident Response guide simplifies threat investigation |
• April 23, 2024 - Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
• April 23, 2024 - Russia's Fancy Bear Pummels Windows Print Spooler Bug
• April 23, 2024 - Russian Cyberspies Deliver 'GooseEgg' Malware to Government Organizations
• April 23, 2024 - Russian APT28 Group in New “GooseEgg” Hacking Campaign
• April 23, 2024 - Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
• April 23, 2024 - Russia-Linked Hackers Exploit Windows Zero-Day, Deploy "GooseEgg" to Hijack Networks
• April 23, 2024 - Russia's Fancy Bear attacks with print spooler malware
• April 22, 2024 - Russia-linked APT28 used tool GooseEgg for to exploit Win bug
• April 22, 2024 - Microsoft: APT28 hackers exploit Windows flaw reported by NSA
• April 22, 2024 - Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials |

CVE-2021-1675

HIGH CVSS 7.80 EPSS Score 96.83 EPSS Percentile 99.68

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: June 8, 2021

Windows Print Spooler Remote Code Execution Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2008, Windows Rt 8.1, Windows, Windows Server 2019, Windows 7, Windows 10, Windows Server 2012, Windows 8.1, Windows Server 2016

Quotes

• Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions
• A basic launcher application capable of spawning other applications specified at the command line with System-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code
• While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks

Headlines

• April 24, 2024 - CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation
• April 23, 2024 - Russian Cyberspies Deliver 'GooseEgg' Malware to Government Organizations
• April 23, 2024 - Russian APT28 Group in New “GooseEgg” Hacking Campaign
• April 22, 2024 - Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials |

CVE-2024-20359

MEDIUM CVSS 6.00 EPSS Score 1.18 EPSS Percentile 84.86

CISA Known Exploited

Published: April 24, 2024

A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

Vendor Impacted: Cisco

Products Impacted: Adaptive Security Appliance Software, Firepower Threat Defense, Adaptive Security Appliance (Asa) And Firepower Threat Defense (Ftd)

Quotes

• Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023
• Are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)
• Utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor
• This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor
• On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion
• UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement
• ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective

Headlines

• April 25, 2024 - CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog
• April 25, 2024 - Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
• April 25, 2024 - State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
• April 25, 2024 - State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
• April 25, 2024 - CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• April 25, 2024 - Nation-State Hackers Breach Cisco Devices in "ArcaneDoor" Espionage Campaign
• April 24, 2024 - 'Sophisticated' nation-state crew exploiting Cisco firewalls
• April 24, 2024 - Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks
• April 24, 2024 - Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
• April 24, 2024 - ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
• April 24, 2024 - ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
• April 24, 2024 - Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms | CISA

CVE-2024-20358

MEDIUM CVSS 6.00 EPSS Score 0.04 EPSS Percentile 8.83

Risk Context N/A

Published: April 24, 2024

A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

Quotes

• Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023
• Are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)
• Utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor
• UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement

Headlines

• April 25, 2024 - Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
• April 25, 2024 - State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage
• April 24, 2024 - 'Sophisticated' nation-state crew exploiting Cisco firewalls
• April 24, 2024 - Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)
• April 24, 2024 - Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms | CISA