Cisco Zero-Days Anchor ArcaneDoor Cyber-Espionage Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Cisco Zero-Days Anchor ArcaneDoor Cyber-Espionage Campaign


Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.



A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.
Dubbed ArcaneDoor, the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers
revealed
in a blog post.
While the actors initial access vector remains unknown, once it occurs, UAT4356 used a sophisticated attack chain involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as
CVE-2024-20353
and a persistent local execution flaw tracked as
CVE-2024-20359
that have since
been patched
— to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA,
CVE-2024-20358
, that was not used in the ArcaneDoor campaign.
The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA), Cisco Talos wrote in the post.
The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Ciscos Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.
A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.
The primary payloads of the campaign are two custom backdoors— Line Dancer and Line Runner — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  
Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.
Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.
The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing of Line Runner, according to the researchers.
Perimeter devices, which sit at the edge between an organizations internal network and the Internet, are the perfect intrusion point for espionage-focused campaigns, providing
threat actors
a way to gain a foothold to directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.
Zero-days
on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm
AttackIQ.
Weve seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software, he says, noting previous attacks on bugs in devices from
Ivanti,

Palo Alto Networks
, and others.
The threat to these devices highlights the need for organizations to routinely and promptly patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.
Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of a layered approach to defensive network operations, Costis says.
Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.
Organizations also can issue the command show memory region | include lina to identify another IOC. If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering, Cisco Talos wrote.  
And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., client_bundle_install.zip or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.
Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the client_bundle_install.zip file to remove the backdoor.
If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email [email protected] using a reference to CVE-2024-20359 and including the outputs of the dir disk0: and show version commands from the device, as well as the .zip file that they extracted.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cisco Zero-Days Anchor ArcaneDoor Cyber-Espionage Campaign