A new malware campaign exploited two zero-day flaws in Cisco networking equipment to deliver customized malware and facilitate covert data collection in targeted environments.
Cisco Talos, who voiced the task Arcane Gateattributing it as the work of a previously undocumented sophisticated state-sponsored actor being tracked under the name UAT4356 (aka Microsoft’s Storm-1849).
“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were collectively used to conduct malicious actions on the target, which included configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement,” Talos said.
The intrusions, first detected and confirmed in early January 2024, involve the exploitation of two vulnerabilities:
- CVE-2024-20353 (CVSS Score: 8.6) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerabilities
- CVE-2024-20359 (CVSS Score: 6.0) – Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Persistent Local Code Execution Vulnerabilities
It is worth noting that a zero-day exploit is the technique or attack implemented by an attacker to exploit an unknown security vulnerability to gain access to a system.
While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Fixed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same device (CVE-2024-20358, CVSS score: 6.0) that was discovered during internal security testing.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the deficiencies to its catalog of known exploited vulnerabilities (KEVs), requiring federal agencies to apply vendor-provided fixes by May 1, 2024.
The exact initial access path used to breach the devices is currently unknown, although UAT4356 is said to have begun preparations as early as July 2023.
A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the first of which is an in-memory backdoor that allows attackers to load and execute arbitrary shellcode payloads, including disabling registers system and packet capture exfiltration.
Line Runner, on the other hand, is an HTTP-based persistent Lua rig installed on Cisco Adaptive Security Appliances (ASAs) taking advantage of the aforementioned zero-days such that it can survive even after reboots and upgrades. It has been observed to be used to retrieve information staged by Line Dancer.
“It is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (for example, as a persistent backdoor or where an affected ASA has not yet received full operational attention from the attackers),” according to a joint notice issued by the cybersecurity agencies of Australia, Canada and the United Kingdom
At every stage of the attack, UAT4356 is said to have demonstrated meticulous attention to hiding fingerprints and the ability to employ complex methods to evade memory forensics and reduce the chances of detection, contributing to its sophisticated and elusive nature .
This also suggests that threat actors have a complete understanding of the inner workings of the ASA itself and the “forensic actions commonly performed by Cisco for validating the integrity of network devices.”
It’s unclear exactly which country is behind ArcaneDoor, however both Chinese and Russian hackers have targeted Cisco routers for cyber espionage purposes in the past. Cisco Talos also did not specify how many customers were compromised in these attacks.
The development once again highlights the growing targeting of edge devices and platforms such as email servers, firewalls and VPNs that traditionally lack Endpoint Detection and Response (EDR) solutions, as highlighted by the recent series of attacks against Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks and VMware.
“Edge network devices are the perfect intrusion point for espionage-focused campaigns,” Talos said.
“As a critical path for data entering and exiting the network, these devices must be regularly and promptly repaired, using updated hardware and software versions and configurations, and be carefully monitored from a security perspective. These devices allow an actor to directly insert themselves into an organization, redirect or modify traffic, and monitor network communications.”