ArcaneDoor Exploiting Cisco Zero-Days To Attack Government Networks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers target Cisco zero-days as they can abuse the widely used networking equipment that contains vulnerabilities which means they can affect many systems and networks in one shot. 

Attackers use these vulnerabilities to gain unauthorized entry, execute any code, or perform any other malicious actions that enable them to put at great risk those establishments that use Cisco infrastructure.

Recently, cybersecurity researchers at Cisco Talos Intelligence discovered that ArcaneDoor has been exploiting the Cisco zero-days to attack government networks.

ArcaneDoor Exploiting Cisco Zero-Days

ArcaneDoor is a campaign supported by state-sponsored actors that aims at perimeter network devices of all suppliers for spying.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

These devices are valuable because they enable access to network data. Once compromised by threat actors, they can be used to pivot into organizations where traffic can be monitored and reconnaissance conducted.

Cisco identified an incident involving an advanced actor (UAT4356/STORM-1849) through their enhanced visibility and was able to investigate it further. 

UAT4356 Infrastructure (Source – Cisco Talos)

The actor deployed Line Runner and Line Dancer trojans that were designed explicitly for targeted devices. These were then used maliciously, such as making configuration changes, exfiltrating data, or moving laterally within systems with deep knowledge about the device involved.

Cisco found that a state actor implanted custom malware and ran commands on customer networks in a complex attack chain, exploiting two vulnerabilities:-

However, it is not clear what method of initial access was used.

They indicated that capability development has occurred since July 2023, and the most intense activity occurred in December 2023 and January 2024, when government networks worldwide were targeted.

Events’ timeline (Source – Cisco Talos)

The attack utilized a multi-component malware, with the “Line Dancer” memory-resident shellcode interpreter enabling the execution of arbitrary payloads on compromised ASAs via the host-scan-reply field, bypassing authentication. 

Line Dancer’s process memory contained functionality to decode attacker-supplied payloads for execution.

This allowed persistent malicious access and data exfiltration without leveraging management interfaces directly.

The attack persisted through two malware components:- 

  • Line Dancer for initial shellcode execution via hijacked host-scan-reply processing
  • Line Runner as a persistent HTTP Lua backdoor leveraging a legacy VPN client and plugin pre-loading capability (CVE-2024-20359)

The threat actor abused CVE-2024-20353 to trigger ASA reboots, allowing a malicious zip containing Line Runner scripts to execute and maintain persistence across reboots and upgrades.

Besides this, the threat actor’s ZIP file contains the following files:-

  • csco_config.lua
  • csco_config2.lua
  • hash.txt 
  • index.txt
  • laecsnw.txt
  • stgvdr.txt
  • umtfc.txt

Recommendations

Here below we have mentioned all the recommendations:-

  • Organizations can check for indicators of this campaign by looking for connections between ASAs and attacker IPs and using ‘show memory region | include lina’ to detect executable memory regions indicating Line Dancer implant (>1 r-xp region, especially 0x1000 bytes). 
  • Released Snort signatures 63139, 62949, and 45575 detect implants and behaviors if TLS inspection is enabled. 
  • Upgrade to patched versions regardless of suspected compromise.

IoCs

Likely Actor-Controlled Infrastructure:-

  • 192.36.57[.]181 
  • 185.167.60[.]85 
  • 185.227.111[.]17 
  • 176.31.18[.]153 
  • 172.105.90[.]154 
  • 185.244.210[.]120 
  • 45.86.163[.]224 
  • 172.105.94[.]93 
  • 213.156.138[.]77 
  • 89.44.198[.]189 
  • 45.77.52[.]253 
  • 103.114.200[.]230 
  • 212.193.2[.]48 
  • 51.15.145[.]37 
  • 89.44.198[.]196 
  • 131.196.252[.]148 
  • 213.156.138[.]78 
  • 121.227.168[.]69 
  • 213.156.138[.]68 
  • 194.4.49[.]6 
  • 185.244.210[.]65 
  • 216.238.75[.]155  

Multi-Tenant Infrastructure:-

  • 5.183.95[.]95 
  • 45.63.119[.]131 
  • 45.76.118[.]87 
  • 45.77.54[.]14 
  • 45.86.163[.]244 
  • 45.128.134[.]189    
  • 89.44.198[.]16 
  • 96.44.159[.]46 
  • 103.20.222[.]218 
  • 103.27.132[.]69 
  • 103.51.140[.]101 
  • 103.119.3[.]230 
  • 103.125.218[.]198 
  • 104.156.232[.]22 
  • 107.148.19[.]88 
  • 107.172.16[.]208 
  • 107.173.140[.]111 
  • 121.37.174[.]139 
  • 139.162.135[.]12 
  • 149.28.166[.]244 
  • 152.70.83[.]47 
  • 154.22.235[.]13 
  • 154.22.235[.]17 
  • 154.39.142[.]47  
  • 172.233.245[.]241 
  • 185.123.101[.]250 
  • 192.210.137[.]35  
  • 194.32.78[.]183 
  • 205.234.232[.]196  
  • 207.148.74[.]250 
  • 216.155.157[.]136 
  • 216.238.66[.]251 
  • 216.238.71[.]49 
  • 216.238.72[.]201 
  • 216.238.74[.]95 
  • 216.238.81[.]149 
  • 216.238.85[.]220 
  • 216.238.86[.]24  

Update: Cisco has released updates for Zero Day vulnerabilities; more details can be found here.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo