ArcaneDoor hackers exploit Cisco zero-days to breach govt networks
Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.
The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.
Even though Cisco has not yet identified the initial attack vector, it discovered and fixed two security flaws—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.
Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.
Exploited to backdoor Cisco firewalls
The two vulnerabilities allowed threat actors to deploy previously unknown malware and maintain persistence on compromised ASA and FTD devices.
One of the malware implants, Line Dancer, is an in-memory shellcode loader that helps deliver and execute arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets.
The second implant, a persistent backdoor named Line Runner, comes with multiple defense evasion mechanisms to avoid detection and allows the attackers to run arbitrary Lua code on the hacked systems.
"This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," Cisco said.
"UAT4356 deployed two backdoors as components of this campaign, 'Line Runner' and 'Line Dancer,' which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement."
A joint advisory published today by the UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Signals Directorate's Australian Cyber Security Centre says the malicious actors used their access to:
- generate text versions of the device’s configuration file so that it could be exfiltrated through web requests.
- control the enabling and disabling of the devices syslog service to obfuscate additional commands.
- modify the authentication, authorization and accounting (AAA) configuration so that specific actor-controlled devices matching a particular identification could be provided access within the impacted environment.
Cisco urges customers to upgrade
The company released security updates on Wednesday to fix the two zero-days and now "strongly recommends" all customers to upgrade their devices to fixed software to block any incoming attacks.
Cisco admins are also "strongly encouraged" to monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
"Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA)," the company added.
Cisco also provides instructions on verifying the integrity of ASA or FTD devices in this advisory.
Earlier this month, Cisco warned of large-scale brute-force attacks targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
In March, it also shared guidance on mitigating password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
source: BleepingComputer
Free security scan for your website
Top News:
CISA orders federal agencies to secure Microsoft 365 tenants
December 18, 2024Google Chrome uses AI to analyze pages in new scam detection feature
December 21, 2024Recorded Future CEO applauds "undesirable" designation by Russia
December 19, 2024