{
	"id": "9efa7e44-6c69-4880-ba4f-13e9896a31db",
	"created_at": "2026-04-06T00:13:18.095248Z",
	"updated_at": "2026-04-10T03:28:05.5075Z",
	"deleted_at": null,
	"sha1_hash": "f9649d523da9d297628d46ca468a9dd7260c151a",
	"title": "Cyber Activity Impacting CISCO ASA VPNs - Canadian Centre for Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71251,
	"plain_text": "Cyber Activity Impacting CISCO ASA VPNs - Canadian Centre\r\nfor Cyber Security\r\nArchived: 2026-04-05 22:30:45 UTC\r\nForeword\r\nThis cyber security The protection of digital information, as well as the integrity of the infrastructure housing and\r\ntransmitting digital information. More specifically, cyber security includes the body of technologies, processes,\r\npractices and response and mitigation measures designed to protect networks, computers, programs and data from\r\nattack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. advisory is\r\nintended for IT professionals and managers within government and all sectors.\r\nEffective Date\r\nThis publication takes effect on April 24, 2024\r\nRevision History\r\n1. First release. April 24, 2024\r\n1 Background\r\nSince early 2024, the Canadian Centre for Cyber Security (Cyber Centre), Australian Signals Directorate's\r\nAustralian Cyber Security Centre and The UK's National Cyber Security Centre (NCSC) have been evaluating\r\nongoing malicious cyber activity targeting virtual private network A private communications network usually used\r\nwithin a company, or by several different companies or organisations to communicate over a wider network. VPN\r\ncommunications are typically encrypted or encoded to protect the traffic from other users on the public network\r\ncarrying the VPN. (VPN See virtual private network. ) services used by government and critical national\r\ninfrastructure networks globally. The capabilities are indicative of espionage conducted by a well-resourced and\r\nsophisticated state-sponsored actor. There are no indicators suggesting that this threat activity is currently being\r\nused to preposition for disruptive or destructive computer network attack.\r\nThe sophistication demonstrated by the threat actors’ use of multiple layers of novel techniques and the concurrent\r\noperations against multiple targets around the world is cause for concern to the authoring agencies. Since VPN\r\nservices are essential components of computer network security, vulnerabilities in such services are particularly\r\nconsequential and a public disclosure of critical vulnerabilities can enable their use by a wide variety of threat\r\nactors. We emphasize the need to patch devices quickly and to have a comprehensive defense in depth strategy\r\nsuch as applying the recommendations in this Security Advisory.\r\nThe authoring agencies can report the affected products are predominantly CISCO ASA devices, series ASA55xx\r\nand running firmware ASA versions 9.12 and 9.14. These affected products have been compromised by malicious\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 1 of 7\n\nactors who successfully established unauthorized access through WebVPN sessions, commonly associated with\r\nClientless SSLVPN services.\r\nThe authoring agencies performed analysis that showed malicious actors abusing WebVPN by transmitting\r\nmalicious payloads resulting in unauthorized remote code execution on Cisco devices. These commands include,\r\nbut are not limited to, the configuration of packet capture sessions on the devices to collect and exfiltrate data.The\r\nauthoring agencies continue to work closely with the vendor to better understand this novel method of\r\ncompromise The intentional or unintentional disclosure of information, which adversely impacts its\r\nconfidentiality, integrity, or availability. .\r\n2 Artifacts\r\nDetailed below are two samples of observed activity outlining communications between the malicious actors and\r\nthe targeted devices. These samples are commands that directed the devices to perform specific actions which\r\nresulted in the exfiltration The unauthorized removal of data or files from a system by an intruder. of device\r\nconfigurations, configuration of network captures, and data exfiltration.\r\nThe authoring agencies have identified these commands as two malware Malicious software designed to infiltrate\r\nor damage a computer system, without the owner's consent. Common forms of malware include computer viruses,\r\nworms, Trojans, spyware, and adware. components related to the malicious activity targeting Cisco ASA devices\r\nas:\r\nLINE RUNNER - a persistent webshell enabling malicious actors to upload and execute arbitrary Lua\r\nscripts.\r\nLINE DANCER - an in-memory implant enabling malicious actors to upload and execute arbitrary\r\nshellcode payloads.\r\nThe authoring agencies believe these components are related due to the transient use of shared actor-created\r\nresources on an impacted device.\r\nIt is suspected that LINE RUNNER may be present on a compromised device even if LINE DANCER is not (e.g.\r\nas a persistent backdoor An undocumented, private, or less-detectable way of gaining remote access to a\r\ncomputer, bypassing authentication measures, and obtaining access to plaintext. , or where an impacted ASA has\r\nnot yet received full operational attention from the malicious actors). As such, any previous detection The\r\nmonitoring and analyzing of system events in order to identify unauthorized attempts to access system resources.\r\nwork for LINE DANCER with negative findings does not imply that LINE RUNNER is not present.\r\n2.1 HTTP Requests (LINE RUNNER)\r\nLINE RUNNER is a persistent Lua-based webshell targeting the Cisco Adaptive Security Appliance (ASA)\r\nWebVPN device customization functionality. LINE RUNNER implements multiple defense evasion techniques to\r\navoid detection and prevent recovery via forensics. LINE RUNNER offers the ability to run arbitrary Lua code\r\nsent via HTTP GET requests to legitimate Cisco ASA WebVPN / AnyConnect URIs. E.g.:\r\nGET /+CSCOE+/portal.css?\u003caaa\u003e=\u003ctoken\u003e\u0026\u003cbbb\u003e=\u003clua_script\u003e\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 2 of 7\n\nWhere:\r\n\u003caaa\u003e is a randomized query parameter key name.\r\n\u003ctoken\u003e is a randomized value, checked by the webshell (i.e., auth)\r\n\u003cbbb\u003e is a randomized query parameter key name.\r\n\u003clua_script\u003e is the URL Encoded Lua commands to execute.\r\nThe use of randomized query parameters prevents mass scanning of potentially impacted ASAs. It is assumed the\r\nvalues in the GET requests are victim specific, but this is yet to be confirmed.\r\n2.2 HTTP Request and Response (LINE DANCER)\r\nLINE DANCER is a persistent Lua-based shellcode loader, which is a component of a larger framework. This\r\nshellcode loader would process malicious payloads that execute system commands. LINE DANCER offers the\r\nability to run shellcode payloads -- these are base64-decoded and only run when prepended by a fixed 32-byte\r\nvalue, which differs between victims. Provided below is an example of HTTP POST requests to Cisco ASA\r\nWebVPN / AnyConnect URIs. E.g.:\r\nPOST /CSCOSSLC/config-auth HTTP/1.1\r\n…\r\n\u003chost-scan-reply\u003e[base64-encoded payloads]\u003c/host-scan-reply\u003e\r\nTo further aid in detection and remediation options for organizations, the authoring agencies are providing\r\nadditional examples of activity undertaken by the malicious actors:\r\nThe malicious actors generated text versions of the device’s configuration file so that it could be exfiltrated\r\nthrough web requests.\r\nThe malicious actors were able to control the enabling and disabling of the devices syslog service to\r\nobfuscate additional commands.\r\nThe malicious actors were able to modify the authentication, authorization and accounting (AAA)\r\nconfiguration so that specific actor-controlled devices matching a particular identification could be\r\nprovided access within the impacted environment.\r\nCisco has assigned the following CVEs as being associated with LINE RUNNER Footnote 10 and LINE DANCER\r\nFootnote 11\r\n activity:\r\nCVE-2024-20359 - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent\r\nLocal Code Execution Vulnerability\r\nCVE-2024-20353- Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web\r\nServices Denial of Service Vulnerability\r\nAdditional information on these vulnerabilities can be found by visiting the Cisco Security Advisories\r\nportalFootnote 7Footnote 8 and the Cisco Talos BlogFootnote 9.\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 3 of 7\n\n3 Indicators of Compromise\r\n3.1 IP Addresses\r\nThe authoring agencies have observed the following malicious IP addresses targeting networks. The below can be\r\nconsidered high confidence indicators of malicious activity and organizations are reminded not to probe the\r\nprovided IP addresses, but instead to check historical network logs, specifically for large volumes of data being\r\ntransferred. Particular attention should be given if these IP addresses were observed through December 2023 to\r\nFebruary 2024:\r\n185.244.210[.]65\r\n5.183.95[.]95\r\n213.156.138[.]77\r\n45.77.54[.]14\r\n45.77.52[.]253\r\n45.63.119[.]131\r\n194.32.78[.]183\r\n185.244.210[.]120\r\n216.238.81[.]149\r\n216.238.85[.]220\r\n216.238.74[.]95\r\n45.128.134[.]189\r\n176.31.18[.]153\r\n216.238.72[.]201\r\n216.238.71[.]49\r\n216.238.66[.]251\r\n216.238.86[.]24\r\n216.238.75[.]155\r\n154.39.142[.]47\r\n139.162.135[.]12\r\n4 Recommended Actions\r\nCisco made the authoring agencies aware that recent firmware versions contained patches to aid in the mitigation\r\nof this activity. The patches updated firmware address techniques that had allowed malicious actors to gain\r\npersistence during the compromise. Organizations are encouraged to monitor future articles and firmware updates\r\nfrom Cisco and apply necessary patches when available.\r\nPatches are currently available for download from Cisco’s websiteFootnote 5, which can be accessed via a valid\r\nCisco account and active Cisco support contract for ASA devices. Organizations are encouraged to update to the\r\nlatest patch versions, which would contain the relevant fixes associated with this activity and other updates\r\navailable for the device. As of this publication the most recent versions available are:\r\n9.16.4.57\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 4 of 7\n\n9.18.4.22\r\n9.20.2.10\r\n4.1 Update instructions for supported devices\r\nCisco provided the following instructions on the update process.\r\nVisit Cisco’s Software Download Centre\r\nClick on Browse All\r\nChoose Security \u003e Firewalls.\r\nDepending on the desired hardware platform choose 3000 Series Industrial Security Appliances (ISA),\r\nAdaptive Security Appliances (ASA), or Next-Generation Firewalls (NGFW).\r\nChoose a specific product from the right pane of the product selector (depending on the exact hardware\r\nplatform you may need to repeat this step).\r\nChoose Adaptive Security Appliance (ASA) Software.\r\nNavigate to All Release \u003e Interim \u003e 9 \u003e 9.x.y Interim (example: 9.18.4 Interim). Note: Navigating to\r\n“Interim” within the steps listed above is important, otherwise you will not find the appropriate releases.\r\n4.2 Update instructions for unsupported devices\r\nFor all unsupported devices that have entered End of Life (EoL), organizations are encouraged to contact\r\nCisco to discuss alternative solutions. The authoring agencies wish to remind organizations of the\r\nimportance of device lifecycle management. Using outdated software or hardware limits a manufacturer\r\nfrom providing security patches.\r\nFor further guidance, contact your support organization. If that is the Cisco TAC visit the Cisco support\r\npage or by phone at 800-553-2447 (US/Canada) to open a case with “ARCANEDOOR” as the reference\r\ncode. International phone support numbers can be found on Cisco’s website.\r\n4.3 Heightened detection recommendation\r\nThe authoring agencies recommend the following actions for organizations to better protect themselves and to aid\r\nin the detection of malicious activity:\r\n1. Upgrade devices running vulnerable firmware to a version that includes relevant fixes. Running the most\r\nrecent firmware ensures that devices are best protected against newly discovered vulnerabilities.\r\n2. If an upgrade path to the new firmware is not available, decommission the device or ensure that WebVPN\r\nservices have been disabled.\r\n3. Ensure proper hardware and software lifecycle management to benefit from vendor support and security\r\nupdates.\r\n4. As of September 30, 2019, Cisco has discontinued support for WebVPNFootnote 6\r\n. If still in use,\r\norganizations are encouraged to plan on the migration of remote access connectivity to a supported\r\ntechnology.\r\n5. Organizations are encouraged to review logs to filter for any unknown, unexpected, or unauthorized access\r\nor changes to devices. Organizations should also monitor for unexpected activity such as unexpected\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 5 of 7\n\nreboots, large transfers to unknown IP Addresses and gaps in logging, which may indicate the disabling of\r\nlogging services.\r\n6. Enable ‘informational’ logging on all Cisco ASA devicesFootnote 1\r\n. \r\n7. Ensure that off-device logging is sufficient to support historical analysis, particularly if the syslog severity\r\nlogging is increased.\r\n8. Validate with administrators if any of the alert codes below are observed to review for potential malicious\r\nactivity.\r\n \r\nASA Code Descriptions\r\nASA-4-106103 access-list acl_ID denied protocol for user username\r\nASA-4-109027 [aaa protocol] Unable to decipher response message\r\nASA-4-113019 Session disconnected.\r\nASA-4-315009 SSH: connection timed out\r\nASA-4-717037 Tunnel group search using certificate maps failed for peer certificate\r\nASA-4-722041 No IPv6 address available for SVC connection\r\nASA-4-768003 SSH: connection timed out\r\nASA-5-111001  Begin configuration: IP_address writing to device\r\nASA-5-111003 IP_address Erase configuration\r\nASA-5-111008 User user executed the command string\r\nASA-5-212009 Configuration request for SNMP group groupname failed.\r\nASA-5-718072 Becoming master of Load Balancing in context\r\nASA-5-734002 Connection terminated by the following DAP records\r\nASA-5-8300006 Cluster topology change detected. VPN session redistribution aborted\r\nASA-6-113015  AAA user authentication Rejected\r\nASA-7-734003 DAP: User name, Addr ipaddr: Session Attribute: attr name/value\r\n4.4 Hardening Recommendations\r\nThe following hardening recommendations will impact the malicious actor’s ability to conduct malicious activity\r\nbased on observed tactics, techniques, and procedures (TTPs):\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 6 of 7\n\n1. Disable or restrict internal unencrypted traffic through gateway devices, including Server Message Block\r\n(SMB) traffic. SMB 3.0 or higher can be configured to use encryption. Earlier versions of SMB should not\r\nbe used.\r\n2. Enable strong SNMPv3 access and deprecate SNMPv2.\r\n3. Accounts and credentials used on edge devices and integrated into internal systems, such as Active\r\nDirectory, could be exploited by malicious actors. These shared accounts should have the minimum\r\nnecessary privileges to reduce a malicious actors ability to compromise other services. These accounts\r\nshould be closely monitored to identify any deviations from expected behaviour.\r\n4. Based on the observed TTPs, the authoring agencies recommend enforcing the use of Internet Protocol\r\nSecurity (IPsec) rather than Secure Socket Layer/Transport Layer Security (SSL/TLS) for VPN\r\nconnectivity. Organizations should consider configuring all services to block public access to the SSL\r\ncomponents of the ASA deviceFootnote 2Footnote 3.\r\n5. If Secure Socket Layer/Transport Layer Security (SSL/TLS) for VPN, or other external facing services\r\nsuch as Secure Shell (SSH) are required, organizations should use the latest secure protocols with\r\nrecommended cipher suites and hardening recommendations provided by the Cyber Centre through\r\nITSP.40.062Footnote 4.\r\n6. Where feasible, utilize Access Control Lists (ACLs) to block external access to the VPN device from\r\nknown malicious IP addresses. ACLs can also be configured to only permit access from countries from\r\nwhich remote users are expected to connect from; a process known as “Geofencing\"\r\n7. Utilize threat detection techniques, centralized log collection, security information and event management\r\nand adequate alerting / reporting.\r\nSource: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nhttps://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns"
	],
	"report_names": [
		"cyber-activity-impacting-cisco-asa-vpns"
	],
	"threat_actors": [
		{
			"id": "09b4b3f5-e9f4-4209-982a-51d90078ff18",
			"created_at": "2024-04-27T02:00:03.545351Z",
			"updated_at": "2026-04-10T02:00:03.635129Z",
			"deleted_at": null,
			"main_name": "ArcaneDoor",
			"aliases": [],
			"source_name": "MISPGALAXY:ArcaneDoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434398,
	"ts_updated_at": 1775791685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9649d523da9d297628d46ca468a9dd7260c151a.pdf",
		"text": "https://archive.orkl.eu/f9649d523da9d297628d46ca468a9dd7260c151a.txt",
		"img": "https://archive.orkl.eu/f9649d523da9d297628d46ca468a9dd7260c151a.jpg"
	}
}