A state-sponsored criminal group exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom backdoors in a global cyber espionage campaign.
Dubbed “ArcaneDoor,” the previously unknown actor’s campaign — which Cisco Talos researchers track as UAT4356 — has been targeting the Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.
While the perpetrator’s initial access vector remains unknown, once it occurred, UAT4356 used a “sophisticated attack chain” that involved exploitation of the two vulnerabilities: a denial-of-service flaw traced as CVE-2024-20353 and a persistent local execution flaw detected as CVE-2024-20359 that since then been patched up – to plant malware and execute commands on a small group of Cisco customers. Cisco Talos also reported a third flaw in the ASA, CVE-2024-20358which was not used in the ArcaneDoor campaign.
The researchers also found evidence that the perpetrator has an interest in and potentially will attack devices from Microsoft and other vendors, making it critical that organizations ensure that all edge devices “are properly patched, accessed to a central, secure location, and configured to have a strong multi-factor authentication (MFA),” Cisco Talos wrote in the post.
Custom backdoor malware for global governments
The first sign of suspicious activity in the campaign came in early 2024, when a customer contacted Cisco and Cisco Talos’ Product Security Incident Response Team (PSIRT) about security issues with its ASA firewall devices.
A subsequent multi-month investigation by Cisco and intelligence partners uncovered infrastructure controlled by threat actors dating back to early November 2023. The majority of the attacks, all targeting government networks globally, occurred between December and early January. There is also evidence that the actor, which Microsoft is also now tracking as STORM-1849, was testing and developing its capabilities as early as last July.
The main payloads of the campaign are two custom backdoors, “Line Dancer” and “Line Runner”, used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.
Line Dancer is a memory-resident shellcode interpreter that allows adversaries to load and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed that the malware was used to execute various commands on an ASA device, including: disabling syslog; launching and extracting the show configuration command; create and extract packet captures; and execute commands found in shellcode, among other tasks.
Line Runner meanwhile is a persistence mechanism deployed on the ASA device that uses functionality related to a legacy capability that allowed VPN clients and plugins to be preloaded on the device during startup which can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.
“Attackers were able to exploit this vulnerability to reboot the targeted ASA device, triggering the unpacking and installation” of Line Runner, according to the researchers.
Protect your perimeter from cyber attackers
Edge devices, which sit at the boundary between an organization’s internal network and the Internet, “are the perfect intrusion point for espionage-focused campaigns,” providing threat actors a way to gain a foothold to “directly navigate within an organization, redirect or modify traffic, and monitor network communications in the secure network, according to Cisco Talos.
Zero-days on these devices represent a particularly attractive attack surface on these devices, notes Andrew Costis, chapter leader of the Adversary Research Team at testing firm MITER ATT&CK AttackIQ.
“We have repeatedly seen the exploitation of zero- and n-day critical vulnerabilities with every major device and security software,” he says, pointing to previous attacks on bugs in devices Ivanti, Palo Alto Networksand other.
According to Cisco Talos, the threat to these devices highlights the need for organizations to patch them “routinely and promptly” using updated hardware and software versions and configurations, as well as maintain close security monitoring.
Organizations should also focus on threat actors’ post-compromise TTPs and test known adversary behaviors as part of a “layered approach” to defensive network operations, Costis says.
ArcaneDoor cyber attack activity detection
Indicators of Compromise (IoC) that customers can look for if they suspect they have been targeted by ArcaneDoor include any flow to/from ASA devices to any of the IP addresses on the IOC list included in the blog.
Organizations can also issue the “show memory region | include lina” command to identify another IOC. “If the output indicates more than one region of executable memory… especially if one of those memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering,” Cisco Talos wrote.
Additionally, Cisco has provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch has been applied. The first is to conduct a review of the contents of disk0; if a new file appears on the disk (for example “client_bundle_install.zip” or any other unusual .zip file), it means that Line Runner was present but is no longer active due to the update.
Administrators can also follow a series of expected commands that will create a harmless file with a .zip extension that will be read by the ASA upon reboot. If it appears on disk0, it means that Line Runner was probably present on the device in question. Administrators can then delete the “client_bundle_install.zip” file to remove the backdoor.
If administrators find a newly created .zip file on their ASA devices, they should copy the file from the device and email it [email protected] using a reference to CVE-2024-20359 and including the outputs of the “dir disk0:” and “show version” commands from the device, as well as the .zip file they extracted.