Cisco firewalls targeted in sophisticated nation-state espionage hack

A previously unidentified hacking group — believed to be a nation-state threat actor — has attacked Cisco firewall appliances in what cybersecurity agencies believe is an espionage campaign targeting government networks and critical infrastructure.

Cisco has dubbed the campaign "ArcaneDoor" and warned that it is targeting devices running its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

The vendor has issued patches, which it is urging customers to apply, for three zero-day vulnerabilities being leveraged in the attacks.

A joint advisory from the UK’s National Cyber Security Centre, the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Signals Directorate's Australian Cyber Security Centre, also encouraged urgent patching.

In their advisory, the three agencies said they had been monitoring the campaign since early this year and believed its sophisticated nature — involving “multiple layers of novel techniques and the concurrent operations against multiple targets around the world” — was cause for concern.

“The capabilities are indicative of espionage conducted by a well-resourced and sophisticated state-sponsored actor,” they said.

“Since VPN services are essential components of computer network security, vulnerabilities in such services are particularly consequential.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two of the bugs to its Known Exploited Vulnerabilities Catalog and ordered federal civilian executive branch agencies to apply the patches to all affected software by May 1.

The bugs are CVE-2024-20353, an infinite loop vulnerability that can lead to remote denial of service, and CVE-2024-20359, a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

The threat actor responsible for the attacks is being tracked as UAT4356 by Cisco, and as STORM-1849 by Microsoft, but neither Cisco, nor any of the agencies voicing concern about the threat, have commented on which nation-state it is believed to be linked to.

Perimeter network devices "perfect intrusion point"

In a separate threat advisory, Cisco Talos, the vendor’s cyber threat intelligence organization, described the ArcaneDoor campaign as the latest example of state-sponsored actors targeting perimeter network devices and said the threat extended to multiple vendors.

“Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective,” the Talos advisory said.

“Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”

Recently nation-state cyberespionage activities that fall into the same category as the ArcaneDoor campaign include the actions of the China-linked advanced persistent threat (APT) group Volt Typhoon and Russian-aligned APT Sandworm.

In their advisories, Cisco Talos and the international cybersecurity agencies said UAT4356/STORM-1849 deployed two backdoors as part of the ArcaneDoor campaign: “Line Runner” and “Line Dancer.”

Together, the two backdoors were used to conduct malicious actions against targeted systems, including configuration modification, reconnaissance, network traffic capture/exfiltration and, potentially, lateral movement. Line Runner is a persistent Lua-based webshell targeting the ASA WebVPN device customization functionality, while Line Dancer is an in-memory implant that enables the uploading and execution of arbitrary shellcode payloads.