Government Networks Worldwide Breached by ArcaneDoor Hackers Exploiting Cisco Zero-Days

April 24, 2024

Cisco has alerted the public to the activities of a state-sponsored hacking group that has been exploiting two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. The group, known as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, has been active since November 2023. The cyber-espionage campaign, named ArcaneDoor, has been infiltrating vulnerable edge devices.

While the initial attack vector is yet to be identified by Cisco, the company discovered two security flaws— CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the hackers used as zero-days in their attacks. Cisco first became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had been developing and testing exploits to target the two zero-days since at least July 2023.

The two vulnerabilities enabled the threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices. They used a malware implant named Line Dancer, an in-memory shellcode loader, to deliver and execute arbitrary shellcode payloads, disable logging, provide remote access, and exfiltrate captured packets. Another implant, a persistent backdoor named Line Runner, was used to avoid detection and allowed the hackers to run arbitrary Lua code on the compromised systems.

Cisco stated, "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor." The company further explained that "UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement."

In response to the attacks, Cisco released security updates to fix the two zero-days and now "strongly recommends" all customers to upgrade their devices to fixed software to block any incoming attacks. System administrators are also "strongly encouraged" to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company concluded by stating, "Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA)." Cisco also provides instructions on verifying the integrity of ASA or FTD devices in its advisory.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.