ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

​Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.

Even though Cisco has not yet identified the initial attack vector, it discovered two security flaws— CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—the threat actors used as zero-days in these attacks.

Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.

Exploited to backdoor Cisco firewalls

The two vulnerabilities allowed threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices.

One of the malware implants, Line Dancer, is an in-memory shellcode loader that helps deliver and execute arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets.

The second implant, a persistent backdoor named Line Runner, comes with multiple defense evasion mechanisms to avoid detection and allows the attackers to run arbitrary Lua code on the hacked systems.

"This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," Cisco said.

"UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement."

Cisco urges customers to upgrade

The company released security updates on Wednesday to fix the two zero-days and now "strongly recommends" all customers to upgrade their devices to fixed software to block any incoming attacks.

Cisco admins are also "strongly encouraged" to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.

"Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA)," the company added.

Cisco also provides instructions on verifying the integrity of ASA or FTD devices in this advisory.

Earlier this month, Cisco warned of large-scale brute-force attacks targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.

In March, it also shared guidance on mitigating password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.