2024-04-25
ArcaneDoor Cyber Espionage Campaign Targeted Perimeter Network Devices
Cisco Talos has published a report detailing a cyber espionage campaign that targeted Cisco Adaptive Security Appliances (ASA) to gain access to government networks in several countries around the world. Cisco has released updates to address the vulnerabilities exploited in the campaign: a denial-of-service issue (CVE-2024-20353) and a persistent local execution flaw ((CVE-2024-20359). While most of the activity occurred in December 2023 and January 2024, Cisco Talos found evidence that the campaign, dubbed ArcaneDoor, was being tested last summer.
Editor's Note
The flaws patched by Cisco require authentication. Cisco states that they do not know how the attacker obtained initial access, but verify that authentication is configured properly and verify the password security for any devices. There have been persistent brute force attacks against these devices in the past.
Johannes Ullrich
The attackers are using an in-memory implant called Line Dancer which is used to disable syslog, exfiltrate the configuration, create packet captures, write to memory, and hook the crash dump and AAA processes to allow authentication and bypass/disable crash dumps needed for forensic analysis. Persistence is maintained with a backdoor called "Line Runner" which leverages the legacy capability to pre-load updated VPN clients and plugins on ASA devices. The update from Cisco prevents this technique from working, however it doesn't remove Line Runner so you need to check for new or unusual zip files, copying them off and reporting to Cisco as requested. Details on removing them are in the Talos blog.
Lee Neely
Brute force attacks against operator-less public network facing devices have been increasing. It is important to know if your devices are seeing and resisting such attack traffic.
William Hugh Murray
Read more in
Talos Intelligence: ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
Wired: ArcaneDoor Cyberspies Hacked Cisco Firewalls to Access Government Networks
The Register: Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes
Ars Technica: Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks
SC Magazine: Cisco firewalls targeted in sophisticated nation-state espionage hack
Dark Reading: Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign
Gov Infosecurity: Cisco Fixes Firewall 0-Days After Likely Nation-State Hack