Keypoints
- Adversaries exploited Cisco ASA WebVPN (Clientless SSLVPN) on ASA55xx devices running older ASA firmware to achieve unauthorized remote code execution via crafted HTTP requests.
- Two primary implants identified: LINE RUNNER (persistent Lua-based webshell) and LINE DANCER (in-memory shellcode loader); they were used to run arbitrary code and shellcode respectively.
- LINE RUNNER executes URL-encoded Lua scripts sent via randomized HTTP GET parameters (example: GET /+CSCOE+/portal.css?…), while LINE DANCER processes base64-encoded payloads in POSTs (example: POST /CSCOSSLC/config-auth).
- Malicious actions observed include exporting device configuration text, configuring packet captures for data collection, disabling/enabling syslog to cover tracks, and modifying AAA settings to permit actor-controlled access.
- Cisco assigned CVE-2024-20359 and CVE-2024-20353 to vulnerabilities associated with this activity; patches are available in interim 9.x releases (e.g., 9.16.4.57, 9.18.4.22, 9.20.2.10).
- High-confidence malicious IPs were observed (e.g., 185.244.210[.]65, 5.183.95[.]95) and organizations are advised to review historical logs for large transfers and unexpected behavior rather than active probing.
- Recommended mitigations include applying Cisco firmware patches, disabling WebVPN on unsupported devices, enabling informational/off-device logging, and hardening VPN/edge device configurations (use IPsec, enforce SNMPv3, implement ACLs/geofencing).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploited Cisco ASA WebVPN/Clientless SSLVPN to gain remote code execution (‘abusing WebVPN by transmitting malicious payloads resulting in unauthorized remote code execution on Cisco devices.’)
- [T1059] Command and Scripting Interpreter – Executed arbitrary Lua scripts on the ASA via HTTP GET requests (‘ability to run arbitrary Lua code sent via HTTP GET requests to legitimate Cisco ASA WebVPN / AnyConnect URIs.’)
- [T1505] Web Shell – Persistent webshell (LINE RUNNER) installed to accept and run attacker-supplied Lua code via web requests (‘LINE RUNNER – a persistent webshell enabling malicious actors to upload and execute arbitrary Lua scripts.’)
- [T1055] Process Injection (In-memory Execution) – LINE DANCER operated as an in-memory implant loading and executing base64-decoded shellcode payloads (‘LINE DANCER – an in-memory implant enabling malicious actors to upload and execute arbitrary shellcode payloads.’)
- [T1041] Exfiltration Over C2 Channel – Device configurations and captured packet data were moved out via web requests (‘generated text versions of the device’s configuration file so that it could be exfiltrated through web requests.’)
- [T1562] Impair Defenses – Actors enabled/disabled syslog and altered logging to obfuscate activity (‘control the enabling and disabling of the devices syslog service to obfuscate additional commands.’)
- [T1098] Account Manipulation – Modifying AAA to allow actor-controlled devices privileged access within the environment (‘modify the authentication, authorization and accounting (AAA) configuration so that specific actor-controlled devices matching a particular identification could be provided access within the impacted environment.’)
Indicators of Compromise
- [IP Address] observed malicious hosts – 185.244.210[.]65, 5.183.95[.]95, and 18 more IPs observed targeting networks (see advisory list from Dec 2023–Feb 2024).
- [CVE] associated vulnerabilities – CVE-2024-20359, CVE-2024-20353 (linked to LINE RUNNER / LINE DANCER activity and ASA/FPRD updates).
- [HTTP URI patterns] WebVPN endpoints and payload carriers – GET /+CSCOE+/portal.css?…[lua script], POST /CSCOSSLC/config-auth with <host-scan-reply>[base64 payload]</host-scan-reply>.
- [Malware/Tool names] implants identified on devices – LINE RUNNER (Lua webshell), LINE DANCER (in-memory shellcode loader).
- [Device models / firmware] affected platforms and patched releases – Cisco ASA 55xx running ASA 9.12 / 9.14 (affected); patched interim releases e.g., 9.16.4.57, 9.18.4.22, 9.20.2.10.
Since early 2024 attackers exploited Cisco ASA WebVPN (Clientless SSLVPN) functionality to deliver and execute malicious payloads. Two implants were observed: LINE RUNNER, a persistent Lua-based webshell that accepts URL-encoded Lua code via randomized GET parameters (example pattern: GET /+CSCOE+/portal.css?rand=token&rand2=), and LINE DANCER, an in-memory shellcode loader that receives base64-encoded payloads in POST bodies (example pattern: POST /CSCOSSLC/config-auth with <host-scan-reply>[base64]</host-scan-reply>). The implants enabled arbitrary command execution, exporting of device configurations as text, configuration of packet captures for data collection, and modification of AAA and logging settings to maintain persistence and avoid detection.
Detection guidance: review historical logs and off-device syslog for unexpected large transfers, configuration export events, unexpected reboots, gaps in logging, or the ASA alert codes listed (e.g., ASA-5-111001, ASA-5-111003, ASA-5-111008). Monitor for HTTP requests matching the above URI patterns and randomized query-parameter behavior. Check for connections to known malicious IPs (e.g., 185.244.210[.]65, 5.183.95[.]95) in network logs and search for evidence of packet-capture configuration commands or sudden syslog disabling.
Remediation and hardening: apply Cisco interim firmware that contains fixes for the reported vulnerabilities (see CVE-2024-20359 and CVE-2024-20353) and follow Cisco’s update procedure to retrieve the appropriate interim 9.x releases. If devices cannot be updated, disable WebVPN or decommission unsupported equipment. Enable informational logging with off-device retention, enforce secure remote access (prefer IPsec over SSL/TLS for VPN), use SNMPv3, restrict external access via ACLs/geofencing, minimize shared account privileges, and utilize centralized detection (SIEM) to identify the described TTPs and indicators.
Read more: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns