A state-sponsored threat actor has launched a sophisticated cyber espionage campaign that exploits two vulnerabilities in Cisco firewall platforms, according to an advisory from Cisco Talos.
The campaign, dubbed ArcaneDoor, targets perimeter network devices to enable the attacker to undertake a range of actions inside an organization’s systems, including rerouting or modifying traffic and monitoring network communications.
Cisco identified a threat actor tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center as being behind the campaign.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos wrote.
The firm noted that the campaign fits with the trend of a “dramatic and sustained increase” in the targeting of perimeter network devices in the past two years. These particularly target critical infrastructure entities such as energy companies that are likely strategic targets of interest for many foreign governments.
How Organizations Are Targeted by ArcaneDoor
Talos outlined a sophisticated attack chain used by UAT4356 to conduct the espionage campaign, which involved implanting custom malware and executing commands across a small set of customers.
The firm was initially alerted to suspicious activity on a Cisco Adaptive Security Appliance (ASA) device in early 2024, and upon investigation, actor-controlled infrastructure was discovered dating back to early November 2024.
There is also evidence that this capability was being tested and developed from as early as July 2023.
The analysis identified additional victims, all of which involved government networks globally.
While the initial attack vector has not been discovered, Talos said the threat actor exploited two previously unknown vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in the campaign. Fixes are now available for these vulnerabilities.
Two backdoors were then employed once UAT4356 had compromised the target, known as “Line Runner” and “Line Dancer.” These were used collectively to conduct malicious actions on-target, including configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
Line Dancer is a memory-only implant, designed to enable attackers to upload and execute arbitrary shellcode payloads.
The adversary submits the shellcodes via the host-scan-reply field, which is then parsed by the Line Dancer implant.
Talos observed the threat actors using Line Dancer for a range of tasks including disabling syslog, running and exfiltrating the command show configuration, and creating and exfiltrating packet captures.
The second malware deployed by the attackers, Line Runner, is used to maintain persistence on the compromised ASA device.
It uses functionality related to a legacy capability on ASA that allowed for the pre-loading of VPN clients and plugins on the device. This vulnerability has been assigned CVE-2024-20359.
The other vulnerability, assigned CVE-2024-20353, was also exploited to facilitate this process –causing the target ASA device to reboot, and triggering the unzipping and installing the second component of Line Runner.
The scripts in the zip file allows the threat actor to maintain a persistent HTTP-based Lua backdoor to the ASA, surviving reboots and upgrades.
Attributed to a State-Sponsored Actor
The sophisticated nature of the campaign, alongside victimology, has led Talos to assess with high confidence that it was performed by a state-sponsored actor.
The researchers also noted that UAT4356 took “clear and deliberate steps” to try and prevent forensic capture its malicious artifacts.
This included hooking the Authentication, Authorization and Accounting (AAA) function of the device to allow the actor to bypass normal AAA operations.
Talos stated: “This tradecraft suggests a thorough understanding of the ASA itself and of the forensic actions commonly performed by Cisco for network device integrity validation.”
A joint advisory published on April 24 by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate's Australian Cyber Security Centre and the UK's National Cyber Security Centre (NCSC) has warned IT professionals and managers within government and all sectors about the threat, urging them to apply available patches immediately.
It said the attackers’ capabilities are indicative of espionage conducted by a well-resourced and sophisticated state-sponsored actor.
Cisco Customers Urged to Take Action
Patches have been released for the two exploited vulnerabilities, and organizations using ASA software are urged to upgrade to a patched version, even if they believe their device has not been compromised.
Talos added that all network devices, regardless of the provider, must be properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA).
The firm’s advisory also set out advice for ASA customers that suspect they may have been targeted in this campaign.
These are:
- Look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided in the Talos advisory
- issue the command “show memory region | include lina” to identify another indicator of compromise. If the output indicates more than one executable memory region, this is a sign of potential tampering
- Follow the steps outlined in the Cisco ASA Forensic Investigation Procedures for First Responders. This document provides guidance for collecting evidence in a forensically sound manner from Cisco ASA devices that are suspected of compromise or tampering