Cisco has warned of a sophisticated state-backed hacking group known as UAT4356 exploiting two zero-day vulnerabilities in Cisco firewall devices since November 2023 to breach government networks worldwide.
Key highlights of the ArcaneDoor Campaign
- The campaign has been active since November 2023 targeting government networks worldwide.
- Two Cisco ASA and FTD firewall vulnerabilities exploited – CVE-2024-20353 and CVE-2024-20359.
- Sophisticated state-sponsored hacking group UAT4356 deployed Line Dancer and Line Runner malware payloads.
- ArcaneDoor threat actor’s Goal was long-term espionage with reconnaissance, traffic monitoring, configuration access and data exfiltration capabilities.
- Patches released to fix vulnerabilities, immediate upgrades strongly recommended by CISCO.
ArcaneDoor Exploited Two Vulnerabilities in ASA and FTD Firewalls
The ArcaneDoor hackers exploited CVE-2024-20353 and CVE-2024-20359, which are a denial of service and persistent local code execution vulnerability respectively in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls.
After gaining access via the zero-days, the ArcaneDoor threat actors deployed malware payloads known as Line Dancer and Line Runner to maintain persistence on compromised systems. Line Dancer acts as a shellcode loader to execute arbitrary code payloads, while Line Runner serves as a persistent backdoor with defense evasion capabilities.
ArcaneDoor Commits Sophisticated Espionage Focused Attacks
Cisco notes this actor demonstrated a clear focus on espionage with their custom tools and in-depth target knowledge, typical of state-sponsored cyberattacks. The hackers have been actively developing exploits for the vulnerabilities since at least July 2023.
Intelligence reports indicate the hackers used their compromised firewall access to monitor network activity, generate device configurations, modify AAA settings, capture and exfiltrate network traffic.
Campaign Traces Back to Late 2023
The alert involves activity since early 2024 exploiting vulnerabilities in Cisco ASA devices running firmware versions 9.12 and 9.14. A joint advisory notes the malicious actors have been targeting networks through compromised WebVPN sessions since late 2023.
Tactics Used to Maintain Access:
The advisory states the malicious actors used their access to:
- Generate text versions of the device’s configuration file so that it could be exfiltrated through web requests.
- Control the enabling and disabling of the devices syslog service to obfuscate additional commands.
- Modify the authentication, authorization and accounting (AAA) configuration so that specific actor-controlled devices matching a particular identification could be provided access within the impacted environment.
Mitigations and Patching of Vulnerabilities
Cisco released security updates on April 2024 to address the vulnerabilities. They strongly recommend customers immediately upgrade to patched software versions. Admins should also monitor logs for signs of unauthorized access. Regardless of vendor, all network devices must be kept properly patched and secured.
