A state-sponsored threat actor has launched a sophisticated cyber espionage campaign that exploits two vulnerabilities in Cisco firewall platforms, according to an advisory from Cisco Talos.
The campaign, dubbed ArcaneDoor, targets perimeter network devices to enable the attacker to undertake a range of actions inside an organization’s systems, including rerouting or modifying traffic and monitoring network communications.
Cisco identified a threat actor tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center as being behind the campaign.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos wrote.
The firm noted that the campaign fits with the trend of a “dramatic and sustained increase” in the targeting of perimeter network devices in the past two years. These particularly target critical infrastructure entities such as energy companies that are likely strategic targets of interest for many foreign governments.
How Organizations Are Targeted by ArcaneDoor
Talos outlined a sophisticated attack chain used by UAT4356 to conduct the espionage campaign, which involved implanting custom malware and executing commands across a small set of customers.
The firm was initially alerted to suspicious activity on a Cisco Adaptive Security Appliance (ASA) device in early 2024, and upon investigation, actor-controlled infrastructure was discovered dating back to early November 2024.
There is also evidence that this capability was being tested and developed from as early as July 2023.
The analysis identified additional victims, all of which involved government networks globally.
While the initial attack vector has not been discovered, Talos said the threat actor exploited two previously unknown vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in the campaign. Fixes are now available for these vulnerabilities.
Two backdoors were then employed once UAT4356 had compromised the target, known as “Line Runner” and “Line Dancer.” These were used collectively to conduct malicious actions on-target, including configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
Line Dancer is a memory-only implant, designed to enable attackers to upload and execute arbitrary shellcode payloads.
The adversary submits the shellcodes via the host-scan-reply field, which is then parsed by the Line Dancer implant.
Talos observed the threat actors using Line Dancer for a range of tasks including disabling syslog, running and exfiltrating the command show configuration, and creating and exfiltrating packet captures.
The second malware deployed by the attackers, Line Runner, is used to maintain persistence on the compromised ASA device.
It uses functionality related to a legacy capability on ASA that allowed for the pre-loading of VPN clients and plugins on the device. This vulnerability has been assigned CVE-2024-20359.
The other vulnerability, assigned CVE-2024-20353, was also exploited to facilitate this process –causing the target ASA device to reboot, and triggering the unzipping and installing the second component of Line Runner.
The scripts in the zip file allows the threat actor to maintain a persistent HTTP-based Lua backdoor to the ASA, surviving reboots and upgrades.
No tags.
