Executive Summary: In late Q1 2025, a China-linked advanced persistent threat (APT) group—tracked as “Earth Longhorn” by Oracle-42 Intelligence—began exploiting a critical zero-day vulnerability, CVE-2025-44487, in Cisco Adaptive Security Appliance (ASA) Next-Generation Firewalls (NGFW). The flaw, a remote code execution (RCE) issue in the SSL VPN module, was weaponized to establish covert DNS-over-HTTPS (DoH) exfiltration tunnels. These tunnels enabled sustained data exfiltration from high-value targets across sectors including government, defense, and critical infrastructure. This operation, codenamed Silent Anchor, demonstrates a strategic shift toward leveraging legacy enterprise security devices as covert command-and-control (C2) and data exfiltration gateways. This report provides a technical dissection of the attack chain, IOCs, and actionable mitigation strategies.
The vulnerability resides in the sslvpn_webvpn component of Cisco ASA firmware versions 9.16 and 9.18, specifically in the handling of malformed HTTP requests during authentication. An attacker can send a crafted HTTP POST request with oversized headers or malformed session tokens, triggering a heap overflow in the SSL VPN session manager. This leads to arbitrary code execution in the context of the webvpn process (root privileges).
Notably, the flaw bypasses authentication due to incorrect state validation in the pre-authentication flow—a classic race condition between session creation and token validation. Once exploited, the shellcode injects a memory-resident dropper that persists across reboots via a hidden cron job disguised as a system update.
The intrusion begins with opportunistic scanning of exposed ASA appliances on port 443/TCP using the Zmap toolkit. Once a vulnerable instance is identified, the threat actor deploys an obfuscated Python script that exploits CVE-2025-44487 to write a small ELF loader into /tmp. The loader fetches the primary payload—a Golang-based implant named silentcore—via HTTPS from a compromised WordPress site using steganography (PNG headers).
silentcore performs the following:
logrotate manipulationiptables to allow outbound UDP/443 to legitimate DoH resolverscloudflared binary repurposed as a proxy
Data is pre-compressed using Zstandard and base64-encoded within the DNS label field. The actor uses a custom domain generation algorithm (DGA) seeded with the current month and year (e.g., a12345-2025-04.lookup.cloudflare.com), making detection via static IOCs difficult.
After establishing a foothold, Earth Longhorn conducts internal reconnaissance using nmap and masscan over the encrypted DoH channel. They move laterally via SMB relay attacks against domain controllers, harvesting credentials with Mimikatz variants compiled for ARM architecture.
Persistence is maintained through:
/etc/cron.d executing weekly via ashwebvpn binary is written to flash, surviving firmware updatesopenssl are planted in ~/.ssh/ for root accessGiven the use of DoH, traditional DNS logging is ineffective. Instead, defenders should focus on:
cloudflared or silentcore from /tmp/1.1.1.1 for non-browser user agents (e.g., curl/7.81.0)/etc/crontab, /bin/ash, or /lib/libwebvpn.sojournalctl gaps or missing /var/log/auth.log rotationsImmediate action is required to neutralize Silent Anchor:
cisco-sa-asa-doh-rce-2025 (available April 1, 2025)webvpn globally or restrict to approved IP rangescloudflared processes and memory injection patternssha256sum to verify bootloader and kernel integrity against Cisco’s signed checksumsEarth Longhorn is a subgroup of APT41, known for moonlighting operations between cybercrime and state espionage. Their targeting of energy grids during the 2025 Southeast Asian energy crisis aligns with China’s strategic interest in securing Belt and Road Initiative infrastructure. The use of DoH suggests evasion of both national firewalls and corporate DLP systems, reflecting a broader trend of “living-off-trusted-cloud” tactics.
Silent Anchor highlights a dangerous convergence: