Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359)

1. Upgrade your Cisco ASA to the below versions: (Depend on your Cisco ASA support which version)
   9.16.4.57
   9.18.4.22
   9.20.2.10
2. Check your firewall log or SIEM to see if there are any IOC IP hit your log.
   
   

For more detail of the IOC, please check:

https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

Check your Cisco ASA compatibility:

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Reference:

https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2?s=08

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

H3C firewall SSL weak cipher

Nessus vulnerability scan report about H3C firewall SSL weak cipher 

Go to "Objects" -> "SSL" -> "SSL Server Policies"

You will found that even you select "TLS 1.2" and Cipher suites "High level":

SSL_RSA_with_AES_128_CBC_SHA

SSL_RSA_with_AES_256_CBC_SHA

You still false in the security scanning report and it will show weak cipher.

Solution:

Use the following 4 Cipher:

 

https://www.tenable.com/plugins/nessus/156899 

After change the cipher under firewall GUI, then SSH to the firewall

 

> system-view

 

] undo ip https enable

 

] ip https enable

 

] save force

 

] exit

 

>

 

H3C Firewall Change admin portal certificate

1. Go to H3C Firewall -> SSL -> SSL Server Policies to create a new Policy e.g. "abc_2024-2026"

2. Create a PKI Domain for new cert installation

3. Go to PKI -> Certificate -> Import 2 CA cert and 1 local cert

CA to provide TWO CA cert (.cer) (When install second CA, just ignore the cert will be replace warning) and One local cert (.pfx) (RSA 2048) (This local cert need to includ private key and also ignore the cert will be replace warning)

4. SSH to the firewall 

 > show current-configuration (Enable logging on putty before run this command) 

 > system-view ] undo ip https enable 

 ] ip https ssl-server-policy <New Policy Name which is you create at step1> 

 ] ip https enable 

 ] save force 

 ] exit 

 >

Install certificates on Symantec Messaging Gateway (SMG)

Error: No stored certificate request matches this certificate.

Manage certificates for your system. The TLS certificate is used by MTAs in each Scanner appliance; the Control Center uses the HTTPS certificate for secure Web management; Domain keys are used for DomainKeys Identified Mail (DKIM) signing of outbound mail.

Solution: SMG will not install a certificate without either:

• the private key included in the PEM file
• a CSR that already exists in the SMG

Reference: https://knowledge.broadcom.com/external/article?legacyId=TECH154806

https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=4093&MessageKey=e3c1d68d-6d91-4677-a3ee-f2f4c27a1e5b&CommunityKey=bba1e9dc-0c56-4fb5-9e3d-ef7f0d79b7ee

Free TI feed - rules.emergingthreats.net

The bad IP from emergingthreats:

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

Oracle JRE and JDK replacement

Azul Zulu OpenJDK 11 is a good choice.
If your computer does not have any existing Java SE installed, it is suggested that you can download and install Azul Zulu OpenJDK 11 from the Zulu Community 
Java 8, 11, 17, 21, 22 Download for Linux, Windows and macOS (azul.com)

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

1. Reseat the Original Memory: If applicable to your model, reseat the original memory module in the system. Sometimes, reseating the RAM can resolve the issue.

2. Check for Damaged RAM: If reseating the RAM doesn't work, consider checking for any visible damage to the RAM sticks. If they appear damaged, you may need to replace them.

3. Firmware Updates: Ensure that your system's firmware (BIOS) is up to date. Sometimes, updating the firmware can resolve hardware-related issues.

https://www.dell.com/community/en/conversations/latitude/latitude-7480-2-amber-lights-4-white-lights/647f7c0bf4ccf8a8dea5acf2

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty

Configure SSL VPN to Not Require Certificates

Go to VPN > SSL > Settings > and un-check Require Client Certificate.

Broadcom SMG - Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Upgrade to SGOS and Advanced Secure Gateway 7.3.19.1

Support Content Notification - Support Portal - Broadcom support portal 

Due to there are bug - https://knowledge.broadcom.com/external/article/280948/edge-swg-proxysg-appliance-stalls-or-onl.html Upgrade to a version of SGOS that has a fix for this issue. The first releases to have the fix is 7.3.14.5 and 7.3.19.1 and later.

Use Symantec Endpoint Protection to run the YARA rules to scan Linux servers for CVE-2024-3094

Use SEP to run the YARA rules to scan Linux servers for CVE-2024-3094

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/preventing-and-handling-virus-and-spyware-attacks-v40739565-d49e172/scanning-the-SEP-client-computer-using-custom-YARA-rules.html

Yara rule for CVE-2024-3094

https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar

Reference:

https://www.kaspersky.com/blog/cve-2024-3094-vulnerability-backdoor/50873/