Cyber Ninjas Strike: Cisco Gear Hit by ArcaneDoor Malware via Zero-Day Flaws

Beware the ArcaneDoor: Cisco gear’s zero-day flaws are the cyber-thieves’ dance floor, where state-backed hackers waltz in undetected. It’s a high-tech heist, with Line Dancer and Line Runner backdoors orchestrating a silent symphony of data theft. Patch up, or risk the covert cyber tango on your network!

Hot Take:

It looks like Cisco’s been doing the tango with some sneaky cyberattackers, and it’s not the fun kind of dance. They’ve been waltzing right through zero-days with moves called Line Runner and Line Dancer, and it’s giving everyone in the cybersecurity ballroom a serious case of the jitters. Time to up your cybersecurity salsa, folks, because this dance floor is getting wild!

Key Points:

  • The malware campaign, dubbed “ArcaneDoor,” is the handiwork of a sophisticated state-sponsored actor known as UAT4356.
  • Two zero-day flaws in Cisco gear, CVE-2024-20353 and CVE-2024-20359, were exploited to deliver nasty malware payloads.
  • Attackers used two backdoors, “Line Runner” and “Line Dancer,” for a variety of malicious fun like data exfiltration and network traffic capture.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has stepped up, requiring federal agencies to patch up by May 1, 2024.
  • The threat actors have shown a James Bond-level of stealth, avoiding detection with their intimate knowledge of Cisco’s ASA.
Cve id: CVE-2024-20358
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 04/24/2024
Cve description: A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

Cve id: CVE-2024-20353
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 04/24/2024
Cve description: A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.

Cve id: CVE-2024-20359
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 04/24/2024
Cve description: A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

Need to know more?

A Dance with ArcaneDoor

So, Cisco's been hit with a one-two punch by ArcaneDoor, and not the kind you cheer for in a boxing match. These cyber crooks, known as UAT4356, have been busy since at least July 2023, prepping their stage for a performance that no one asked for. They've been deploying their twin backdoor dancers, Line Runner and Line Dancer, onto Cisco's stage, turning it into a veritable House of Mirrors for data extraction and network peek-a-boo.

The Zero-Day Jive

Zero-day vulnerabilities are like uninvited guests at a party, and these two – CVE-2024-20353 and CVE-2024-20359 – crashed the Cisco bash with a bang. They strutted in with high CVSS scores, giving the attackers VIP access to do whatever they please, like rooting around with root-level privileges. And just for kicks, Cisco found another flaw, CVE-2024-20358, while doing some security housekeeping.

A Catalog of Woes

CISA has essentially become the party planner trying to prevent future uninvited guests by adding these flaws to their KEV catalog. They're like the strict bouncers giving federal agencies a deadline to patch things up by May 1, 2024, or face the music.

The Sneaky Two-Step

These attackers aren't your run-of-the-mill party crashers; they've got moves. Line Dancer, their in-memory backdoor, is like a ninja, slipping in and disabling logs, while Line Runner is the persistent type, sticking around through reboots like that one guest who won't leave even after the music's stopped. These two seem to be in a dance-off to see who can be sneakier.

Hide and Seek Champions

UAT4356 might as well be crowned the hide and seek champion of the cyberworld. They've got a knack for staying hidden, using their knowledge of Cisco's ASA to avoid detection like a cyber Houdini. Their ability to dance around forensic detection is so good it's scary, and it points to a level of sophistication that's got everyone on edge.

The Mystery Behind the Mask

Who's behind these sly moves? It's anyone's guess. Past performances have starred Chinese and Russian state-backed hackers, but this time the lead role is still up for grabs. Cisco Talos isn't naming names, but let's just say there's a cast of usual suspects.

The Edge Device Tango

This whole fiasco shines a spotlight on the vulnerability of edge devices – they're like the wallflowers of the cybersecurity dance, often overlooked until someone swoops in for a surprise dance. And just like a trendsetting dance craze, targeting these devices has become quite popular, with Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware all finding themselves in this unwanted limelight.

Bottom line: it's time to step up our cybersecurity game because these attackers have got some serious moves, and they're not afraid to use them. Whether

Tags: Advanced Persistent Threat, Cisco ASA exploits, cybersecurity advisories, malicious implants, Network Security, state-sponsored hacking, zero-day vulnerabilities