A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments.

Cisco Talos, which dubbed the activity ArcaneDoor, attributed it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft).

“UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” Talos said.

The intrusions, which were first detected and confirmed in early January 2024, entail the exploitation of two vulnerabilities

  • CVE-2024-20353 (CVSS score: 8.6) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability
  • CVE-2024-20359 (CVSS score: 6.0) – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

It’s worth noting that a zero-day exploit is the technique or attack a malicious actor deploys to leverage an unknown security vulnerability to gain access into a system.

While the second flaw allows a local attacker to execute arbitrary code with root-level privileges, administrator-level privileges are required to exploit it. Addressed alongside CVE-2024-20353 and CVE-2024-20359 is a command injection flaw in the same appliance (CVE-2024-20358, CVSS score: 6.0) that was uncovered during internal security testing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the vendor-provided fixes by May 1, 2024.

The exact initial access pathway used to breach the devices is presently unknown, although UAT4356 is said to have started preparations for it as early as July 2023.

A successful foothold is followed by the deployment of two implants named Line Dancer and Line Runner, the former of which is an in-memory backdoor that enables attackers to upload and execute arbitrary shellcode payloads, including disabling system logs and exfiltrating packet captures.

Line Runner, on the other hand, is a persistent HTTP-based Lua implant installed on the Cisco Adaptive Security Appliance (ASA) by leveraging the aforementioned zero-days such that it can survive across reboots and upgrades. It has been observed being used to fetch information staged by Line Dancer.

“It is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors),” according to a joint advisory published by cybersecurity agencies from Australia, Canada, and the U.K.

At every phase of the attack, UAT4356 is said to have demonstrated meticulous attention to hiding digital footprints and the ability to employ intricate methods to evade memory forensics and lower the chances of detection, contributing to its sophistication and elusive nature.

This also suggests that the threat actors have a complete understanding of the inner workings of the ASA itself and of the “forensic actions commonly performed by Cisco for network device integrity validation.”

Exactly which country is behind ArcaneDoor is unclear, however both Chinese and Russian state-backed hackers have targeted Cisco routers for cyber espionage purposes in the past. Cisco Talos also did not specify how many customers were compromised in these attacks.

The development once again highlights the increased targeting of edge devices and platforms such as email servers, firewalls, and VPNs that traditionally lack endpoint detection and response (EDR) solutions, as evidenced by the recent string of attacks targeting Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware.

“Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,” Talos said.

“As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”