9:00am, 25 April 2024
TLP Rating:
Malicious cyber activity impacting Cisco ASA appliances
The NCSC and CERT NZ would like to draw your attention to malicious cyber activity targeting a number of Cisco ASA virtual private network (VPN) devices used by government and critical national infrastructure networks globally.
These affected devices were compromised with malware by malicious actors who established unauthorised access through WebVPN sessions. We are aware the targeted devices included Cisco ASA55xx series with WebVPN enabled running firmware version 9.12 and 9.14.
Please see the following resources for more information about this activity:
Cisco Talos Advisory: ArcaneDoor: New espionage-focused campaign targets perimeter network devices External Link
Canadian Centre for Cyber Security Advisory: Cyber Activity Impacting Cisco ASA VPNs External Link
NCSC UK Line Dancer Malware Analysis Report: NCSC TIP Line Dancer External Link
Recommendations:
Organisations using Cisco ASA with WebVPN enabled can follow the recommendations in the Cisco Talos blog post to search for any connections from/to ASA devices from the IP addresses provided. Additionally, there are three detection methods to look for evidence of the Line Runner malware on these appliances.
Other organisations can consider searching for traffic from/to the high confidence IOCs provided in the CCCS advisory.
If you identify activity of concern, contact the NCSC Incidents team on incidents@ncsc.govt.nz or 04 498 7654.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.