UK NCSC: Attackers Used Cisco Firewall Zero-Days to Deploy RayInitiator and LINE VIPER Malware
Critical Cisco Firewall Zero-Days Exploited to Deploy Advanced Malware
In a significant cybersecurity development, sophisticated threat actors have been exploiting multiple zero-day vulnerabilities in Cisco firewalls to deploy custom malware against government and critical infrastructure networks. This campaign highlights the growing trend of attackers targeting edge devices—the very hardware designed to protect network perimeters.
The attacks leverage critical flaws in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. By exploiting these previously unknown vulnerabilities, attackers can gain a powerful foothold within a target’s network, bypassing security controls and deploying malicious payloads without detection.
The Attack Chain: From Vulnerability to Full Control
Security researchers have uncovered a multi-stage attack that demonstrates a high level of planning and technical skill. The campaign specifically targets devices that were not configured for regular updates or were running older, unsupported software versions.
The primary vulnerabilities exploited are:
- CVE-2024-20353: A remote code execution flaw that allows an attacker to run arbitrary commands on the device.
- CVE-2024-20359: An issue that allows for a persistent local exploit, enabling the malware to survive system reboots.
- CVE-2024-20358: A file access vulnerability used to retrieve device configurations and credentials.
Attackers use these vulnerabilities in sequence. First, they gain initial access to the firewall. Then, they escalate privileges and disable security features, allowing them to install custom malware. This effectively turns a trusted security appliance into a malicious insider on the network.
Meet the Malware: RayInitiator and LINE VIPER
Once the Cisco device is compromised, the attackers deploy two distinct pieces of custom malware designed to maintain long-term access and control.
RayInitiator: This malware acts as a first-stage loader or “initiator.” Its primary job is to establish a covert presence on the firewall and prepare the system for the main payload. RayInitiator is engineered for stealth, modifying the device’s boot process to ensure it runs before legitimate Cisco software loads. This allows it to evade integrity checks and other security measures.
LINE VIPER: Following the successful deployment of RayInitiator, the attackers install LINE VIPER, a sophisticated backdoor. This malware provides the attackers with persistent, remote access to the compromised device and, by extension, the internal network. LINE VIPER’s capabilities include executing arbitrary commands, exfiltrating sensitive data, and moving laterally across the network. It operates discreetly, making detection extremely difficult for standard security tools.
The use of these two custom implants shows a clear intent by the threat actors to conduct long-term espionage and data theft operations.
Who is at Risk?
This campaign primarily targets government entities, critical infrastructure operators, and technology service providers. However, any organization using unpatched Cisco ASA or FTD appliances is a potential target. The attackers are actively scanning for vulnerable devices on the internet, making this a widespread and urgent threat. Gaining control of a core firewall gives an adversary unparalleled access to an organization’s most sensitive data and systems.
Actionable Security Measures: How to Protect Your Network
Protecting against this advanced threat requires immediate and proactive measures. Administrators of Cisco ASA and FTD devices should take the following steps without delay:
- Patch Immediately: The most critical action is to apply the security patches released by Cisco to address these vulnerabilities. Prioritize patching for all internet-facing devices.
- Hunt for Indicators of Compromise (IoCs): Do not assume your devices are clean. Actively search for signs of a breach, including unauthorized configuration changes, suspicious outbound network connections, and unfamiliar files or processes. Security teams should analyze system logs and memory for any anomalies consistent with this attack.
- Review Device Configurations: Scrutinize your firewall configurations for any unauthorized user accounts, access rules, or VPN settings. Attackers often create their own access methods to maintain persistence even after the initial vulnerability is patched.
- Implement Robust Monitoring: Enhance network monitoring to detect unusual traffic patterns originating from your firewalls. Since LINE VIPER communicates with an external command-and-control server, monitoring outbound connections can help identify a compromised device.
- Upgrade Unsupported Hardware: If you are running legacy hardware that no longer receives security updates, it is imperative to upgrade to a supported model immediately. Unsupported devices are a permanent, unfixable security risk.
This campaign is a stark reminder that even enterprise-grade security appliances can become a gateway for attackers if not properly maintained. Vigilance, proactive patch management, and threat hunting are essential components of a modern defense strategy.
Source: https://securityaffairs.com/182639/hacking/uk-ncsc-warns-that-attackers-exploited-cisco-firewall-zero-days-to-deploy-rayinitiator-and-line-viper-malware.html
