In an alarming revelation, Cisco Talos researchers have uncovered a sophisticated espionage campaign targeting Cisco Adaptive Security Appliances (ASA) used on government networks worldwide.
The threat actor, tracked as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, exploited two previously unknown vulnerabilities to install custom backdoors on the compromised devices.
The campaign, dubbed ArcaneDoor, was first detected by a vigilant Cisco customer in early 2024. However, further investigation revealed that the malicious activity dates back to November 2023, with evidence suggesting the threat actor had been testing and developing the capability as early as July 2023.
UAT4356 deployed two custom malware implants as part of the campaign: "Line Dancer," a memory-resident shellcode interpreter, and "Line Runner," a persistent backdoor.
These malicious tools were collectively used to conduct nefarious actions on the targeted devices, including configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.
To investigate the attacks, Cisco Talos researchers worked closely with several external intelligence partners, including Microsoft, Lumen Technologies, and governmental cybersecurity agencies from the US, Canada, Australia, and the UK.
The use of bespoke tooling, anti-forensic measures, and the exploitation of zero-day vulnerabilities led the researchers to assess with high confidence that UAT4356 is a state-sponsored actor.
The threat actor's initial access vector remains unknown, but they were able to exploit two critical vulnerabilities in Cisco ASA devices: CVE-2024-20353 and CVE-2024-20359. The former allowed the attacker to cause the targeted device to reboot, triggering the installation of the Line Runner backdoor, while the latter was abused to maintain persistence.
Cisco has released patches for both vulnerabilities and urges organizations using Cisco ASA to implement them immediately, as there are no workarounds available. Additionally, Cisco has provided indicators of compromise, Snort signatures, and methods for detecting the presence of the Line Runner backdoor on ASA devices.
The ArcaneDoor campaign is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. In the past two years, there has been a significant increase in attacks targeting these devices, particularly in critical infrastructure sectors such as telecommunications providers and energy organizations.
Cisco Talos researchers emphasize the importance of regularly patching network devices, using up-to-date hardware and software versions, and closely monitoring them from a security perspective.
They also advise organizations to ensure that their devices are properly configured, logging to a central, secure location, and utilizing strong, multi-factor authentication (MFA).
The discovery of the ArcaneDoor campaign serves as a stark reminder of the ongoing threat posed by state-sponsored actors and the critical need for organizations to prioritize the security of their perimeter network devices.
As the investigation continues, Cisco Talos and its partners remain committed to uncovering further details about this sophisticated espionage operation and providing the necessary guidance to help organizations protect themselves against similar attacks in the future.