Security researchers at Cisco Talos have uncovered a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 (STORM-1849).
This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls.
The attack chain leveraged two custom malware implants – “Line Dancer” and “Line Runner” – to gain persistent access and remote control over compromised ASA devices.
Line Dancer was an in-memory shellcode interpreter that enabled executing arbitrary payloads, while Line Runner provided a persistent backdoor by abusing a legacy VPN client pre-loading functionality.
“Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While Cisco researchers have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) that were abused in this campaign.”
Is Your Network Under Attack? - Read CISOβs Guide to Avoiding the Next Breach -Β Download Free Guide
Initial Compromise and Line Dancer Implant
The initial attack vector used to compromise ASA firewalls remains unknown. However, once access was obtained, the hackers deployed the Line Dancer implant – a memory-resident shellcode interpreter.
This allowed them to upload and execute malicious payloads via the host-scan-reply field of the SSL VPN session establishment process.
Line Dancer provided the capability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.
It hooked critical functions like crash dumps to hinder forensic analysis and rebooted devices to remove itself from memory.
Persistent Line Runner Backdoor
To maintain access, the hackers exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install the Line Runner persistent backdoor.
This leveraged a legacy feature that allowed pre-loading VPN client bundles on ASAs.
Line Runner consisted of Lua scripts that created a hidden directory, planted a web content file acting as a backdoor, and modified system scripts to copy a malicious ZIP file for execution on every boot.
This gave the attackers a persistent HTTP-based backdoor that survived software upgrades and reboots.
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data If you want to test all these features now with completely free access to the sandbox: ..
Anti-Forensics and Attribution
The ArcaneDoor campaign demonstrated advanced anti-forensics capabilities, modifying core dump functions, disabling logging, and hooking authentication processes to hide their activities.
These operational security measures, combined with developing bespoke malware implants and chaining of zero-days, strongly suggest a state-sponsored threat actor.
While Cisco has released patches for the exploited vulnerabilities, organizations should urgently update their ASA firewalls and follow the recommended incident response procedures to detect and remediate potential compromises from this campaign.
Perimeter network devices like firewalls are lucrative targets for espionage actors because they provide a direct intrusion point into sensitive networks.
The ArcaneDoor campaign underscores the importance of prompt patching, secure configurations, and proactive monitoring of such critical infrastructure components.
Combat Email Threats with Free Phishing Simulations: Email Security AwarenessΒ Training ->
Try Free DemoΒ
Indicators of Compromise
Likely Actor-Controlled Infrastructure:Β
192.36.57[.]181
185.167.60[.]85
185.227.111[.]17
176.31.18[.]153
172.105.90[.]154
185.244.210[.]120
45.86.163[.]224
172.105.94[.]93
213.156.138[.]77
89.44.198[.]189
45.77.52[.]253
103.114.200[.]230
212.193.2[.]48
51.15.145[.]37
89.44.198[.]196
131.196.252[.]148
213.156.138[.]78
121.227.168[.]69
213.156.138[.]68
194.4.49[.]6
185.244.210[.]65
216.238.75[.]155
Multi-Tenant Infrastructure:
5.183.95[.]95Β
45.63.119[.]131Β
45.76.118[.]87Β
45.77.54[.]14Β
45.86.163[.]244Β
45.128.134[.]189Β Β Β Β
89.44.198[.]16Β
96.44.159[.]46Β
103.20.222[.]218Β
103.27.132[.]69Β
103.51.140[.]101Β
103.119.3[.]230Β
103.125.218[.]198Β
104.156.232[.]22Β
107.148.19[.]88Β
107.172.16[.]208Β
107.173.140[.]111Β
121.37.174[.]139Β
139.162.135[.]12Β
149.28.166[.]244Β
152.70.83[.]47Β
154.22.235[.]13Β
154.22.235[.]17Β
154.39.142[.]47Β Β
172.233.245[.]241Β
185.123.101[.]250Β
192.210.137[.]35Β Β
194.32.78[.]183Β
205.234.232[.]196Β Β
207.148.74[.]250Β
216.155.157[.]136Β
216.238.66[.]251Β
216.238.71[.]49Β
216.238.72[.]201Β
216.238.74[.]95Β
216.238.81[.]149Β
216.238.85[.]220Β
216.238.86[.]24Β Β
The post Hackers Exploit Cisco Firewall Zero-Days to Hack Government Networks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.