The NCSC and CERT NZ(external link) would like to draw your attention to malicious cyber activity targeting a number of Cisco ASA virtual private network (VPN) devices used by government and critical national infrastructure networks globally.
These affected devices were compromised with malware by malicious actors who established unauthorised access through WebVPN sessions. We are aware the targeted devices included Cisco ASA55xx series with WebVPN enabled running firmware version 9.12 and 9.14.
Please see the following resources for more information about this activity:
- Cisco Talos Advisory: ArcaneDoor: New espionage-focused campaign targets perimeter network devices(external link)
- Canadian Centre for Cyber Security Advisory: Cyber Activity Impacting Cisco ASA VPNs(external link)
- NCSC UK Line Dancer Malware Analysis Report: NCSC TIP Line Dancer(external link)
- NCSC UK Line Runner Malware Analysis Report: NCSC TIP Line Runner(external link)
Recommendations:
- Organisations using Cisco ASA with WebVPN enabled can follow the recommendations in the Cisco Talos blog post to search for any connections from/to ASA devices from the IP addresses provided. Additionally, there are three detection methods to look for evidence of the Line Runner malware on these appliances.
- Other organisations can consider searching for traffic from/to the high confidence IOCs provided in the CCCS advisory.
If you identify activity of concern, contact the NCSC Incidents team on incidents@ncsc.govt.nz or 04 498 7654.