The ArcaneDoor cyber-espionage campaign, which began in November 2023, involved state-sponsored hackers exploiting two zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls.
📌Zero-Day Exploits Identified: The hackers exploited two zero-day vulnerabilities, CVE-2024–20353 and CVE-2024–20359, which allowed for denial of service attacks and persistent local code execution, respectively.
📌Sophisticated Malware Deployment: The threat actors deployed two types of malware, Line Dancer and Line Runner. Line Dancer is an in-memory shellcode loader that facilitates the execution of arbitrary shellcode payloads, while Line Runner is a persistent backdoor that enables the attackers to run arbitrary Lua code on the compromised systems.
📌Global Impact on Government Networks: The campaign targeted government networks worldwide, exploiting the vulnerabilities to gain access to sensitive information and potentially conduct further malicious activities such as data exfiltration and lateral movement within the networks.
📌Response and Mitigation: Cisco responded by releasing security updates to patch the vulnerabilities and issued advisories urging customers to update their devices. They also recommended monitoring system logs for signs of compromise such as unscheduled reboots or unauthorized configuration changes.
📌Attribution and Espionage Focus: The hacking group, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, demonstrated a clear focus on espionage. The campaign is believed to be state-sponsored, with some sources suggesting China might be behind the attacks.
📌Broader Trend of Targeting Network Perimeter Devices: This incident is part of a larger trend where state-sponsored actors target network perimeter devices like firewalls and VPNs to gain initial access to target networks for espionage purposes