Cisco Zero-Days: ArcaneDoor Hackers Breach Global Networks, A Quick Look.

In a startling revelation, Cisco has warned about a state-backed hacking group exploiting two zero-day vulnerabilities. These vulnerabilities, found in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls, have been exploited since November 2023. The hackers, known as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, have been breaching government networks worldwide.

The ArcaneDoor Campaign

The cyber-espionage campaign, named ArcaneDoor, began infiltrating vulnerable edge devices in early November 2023. The initial attack vector remains unidentified, but Cisco discovered two security flaws— CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.

The Discovery and Response

Cisco became aware of the ArcaneDoor campaign in early January 2024. They found evidence that the attackers had been developing and testing exploits to target the two zero-days since at least July 2023. In response to the attacks, Cisco released security updates to fix the two zero-days and now “strongly recommends” all customers to upgrade their devices to fixed software to block any incoming attacks.

The Malware Implants of ArcaneDoor Hackers

The two vulnerabilities enabled the threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices. They used a malware implant named Line Dancer, an in-memory shellcode loader, to deliver and execute arbitrary shellcode payloads, disable logging, provide remote access, and exfiltrate captured packets. Another implant, a persistent backdoor named Line Runner, was used to avoid detection and allowed the hackers to run arbitrary Lua code on the compromised systems.

The Aftermath of ArcaneDoor Hackers

Cisco stated, “This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor.” The company further explained that “UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.”

The Call to Action

System administrators are also “strongly encouraged” to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company concluded by stating, “Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA).” Cisco also provides instructions on verifying the integrity of ASA or FTD devices in its advisory.

In conclusion, the ArcaneDoor campaign serves as a reminder of the ever-evolving threats in the digital world. It shows the importance of maintaining up-to-date security measures and the need for constant vigilance in the face of sophisticated cyber-attacks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.