A Cisco Talos investigation has uncovered a state-affiliated cyber espionage campaign exploiting two Cisco zero days to plant malware on critical government networks.
The campaign, known as ArcaneDoor, targets perimeter network devices, using them to gain a foothold on the target network, at which point they can start distributing malware, stealing information, and spreading throughout the organization.
Cisco said perimeter network devices are the perfect intrusion point for espionage-focused threat actors, due to their position as a throughpoint for vast amounts of data coming in and out of the network.
Researchers first became aware of the campaign in January 2024, finding evidence that the group, being tracked as UAT4356 or STORM-1849, had been testing and developing exploits to target the two zero days since at least July 2023.
While Cisco was unable to identify the initial attack vector used by the group, it said it has issued two fixes for two vulnerabilities exploited in the attacks.
What Cisco products were used in the attacks?
The two zero days exploited pertain to two Cisco firewall products, its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) solutions.
The first vulnerability, CVE-2024-20353, is a denial of service flaw that affects devices running one or both of Cisco’s ASA or FTD products, caused by incomplete error checking when parsing HTTP headers.
Cisco warned attackers can use crafted HTTP requests to a web server on a device, and if successful the attacker could cause a denial of service error when it reloads.
CVE-2024-20359, is a persistent local code execution vulnerability which if correctly leveraged could allow a local attacker to execute arbitrary code with root-level privileges.
Although the attacker would need administrator-level privileges to exploit the flaw, Cisco explained that because the injected code could persist across device reboots, it raised the Security Impact Rating (SIR) of its advisory from medium to high.
Focus on surveillance and post-compromise persistence indicates state sponsorship
The report stated that UAT4356’s methods bore all the hallmarks of a sophisticated state-sponsored campaign, noting the attack’s use of ‘bespoke tooling’ with a focus on espionage and maintaining persistence on the target network.
Cisco said after being alerted to suspicious activity on an ASA device, a subsequent investigation identified additional victims, all of which involved government networks around the world.
The report warned organizations in the telecommunications and energy sectors in particular, claiming it had observed a “dramatic and sustained” increase in attacks targeting devices in these areas.
According to Cisco Talos’ analysis, once inside the target network UAT4356 plants a series of unknown malware strains, looking to distribute backdoors across the environment.
The group used a memory-only malware variant known as Line Dancer which allowed the attackers to upload and execute arbitrary shellcode payloads.
Cisco observed Line Dancer malware role in progressing the infection chain, helping the attackers disable the system logging protocol, run and exfiltrate the command show configuration, execute CLI commands present in shellcode, and more.
Line Runner is the second malware implant used in the attack and is the core persistence mechanism of the ArcaneDoor campaign.
The attackers leveraged the CVE-2024-20353 vulnerability to cause the target ASA device to reboot, which triggered the installation of the Line Runner backdoor.
Line Runner helps the attacker maintain a persistent HTTP-based Lua backdoor to the ASA system, which persists across reboots and shutdowns.
The UK’s National Cyber Security Centre (NCSC) has issued an advisory for the incidents, including two malware analysis reports for both Line Dancer and Line Runner.
Understanding the attack’s post-compromise procedures is vital, according to Andrew Costis, chapter lead of the Adversary Research Team at AttackIQ.
Costis noted that Cisco was unable to confirm the initial attack vector used in the campaign. As such, he advised businesses to use known adversary behaviors provided in reports like Cisco’s to test their own security posture.
“While the initial access vector will be unique from one zero-day to the next, the post-compromise TTPs are equally important to focus on. Testing known adversary behaviors TTPs by testing and validating your security controls through Breach and Attack Simulation is not only recommended by CISA, but should be part of the layered approach to defensive operations.”
