Threat Intelligence Summary:
Suspected nation-state actors have launched attacks on Cisco firewalls in a campaign dubbed “ArcaneDoor“. Cisco has identified three zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. It has released critical patches to address them. Multiple international cybersecurity agencies have highlighted the campaign’s sophisticated nature and significant risks from these zero days. There are two flaws including a DOS condition and a privilege escalation issue. If you operate these CISCO solutions, you need to take immediate action to verify your system integrity. If they are clean you should immediately apply CISCO’s patches.
Impacted CISCO Systems:
The “ArcaneDoor” campaign specifically targets Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These devices aid in network perimeter security, making them high-value targets for nation-state threat actors. The vulnerabilities exploited in these zero-day campaign are tracked in CVE-2024-20353, which allows remote denial of service through an infinite loop. Secondly, CVE-2024-20359 details the privilege escalation from Administrator to root vulnerability.
What Happens if You’re Exploited
Hackers are deploying two types of malware using these exploits. One is called Line Dancer while the other is called Line Runner.
Line Dancer is an in-memory shellcode loader that helps deliver and execute arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets.
Line Runner installs a persistent backdoor with multiple defense evasion mechanisms to avoid detection. It allows attackers to run arbitrary Lua code on the hacked system.
What Should You Do?
In this case, because active exploits have implanted malware onto devices, you need to verify the integrity of your systems prior to patching. This CISCO web advisory gives specific instructions for checking on your device integrity and if you find an issues wants you to open a TAC case with them.
If your systems are clean at the moment, then you must patch immediately.
Concluding Thoughts from CyberHoot
“ArcaneDoor” highlights a growing threat from state-sponsored actors targeting critical network infrastructure. The use of zero-day attacks indicate a highly sophisticated and well-resourced adversary, most likely a nation-state.
Ensure Device and Network Monitoring is Sufficient
In situations like this you should evaluate both your network and device monitoring solutions to become aware of momentary outages that are linked to these types of attacks.
Threat Intelligence Feeds Are Working
The second task you need to verify from this incident is that your threat intelligence feeds are functioning correctly. You do not have time to waste when vendors identify critical issues like this. Ensure you’re hearing from your vendors quickly when they identify a critical issue like this. Subscribe to their alert services as well as alerts from CISA or local home country cybersecurity resources.