Advisory: ArcaneDoor campaign targeting Cisco ASA and FTD devices
A previously unknown, advanced threat actor has compromised multiple organisations since the beginning of 2024. The initial access vector remains unknown.
On April 24, 2024, Cisco published an advisory that three vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) have been observed in use by at least one advanced threat actor toward multiple victims. Their investigations state the first activity towards victim ASAs is from January 2024, with reported observations of threat actor infrastructure in November 2023 and potentially as early as July 2023. Patches to the three vulnerabilities - CVE-2024-20353 (CVSS 8.6), CVE-2024-20359 (CVSS 6.0) and CVE-2024-20358 (CVSS 6.0) - are included in the advisory.
Cisco has named the attack campaign ArcaneDoor, and has attributed it to an unknown threat actor tracked as UAT4356 by Cisco and STORM-1849 by Microsoft. The actor demonstrated a clear focus on espionage and an in-depth knowledge of the targeted devices. UAT4356 deployed two backdoors, “Line Runner” and “Line Dancer,” to conduct malicious actions, including configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.
The initial access vector remains unknown.
Investigations are ongoing and the situation is developing. Given the widespread adoption of the vulnerable solutions, confirmed active compromise in the wild dating back at least four months, and criticality of the perimeter solutions being targeted, we issue this advisory to raise awareness of the campaign and potential impact it may have. We will update our advisory with new information as it becomes available and is verified by trusted sources.
Initial reports
ArcaneDoor is further outlined in a blogpost from Talos, Cisco's threat intelligence group. The Canadian Centre for Cyber Security (Cyber Centre), Australian Signals Directorate's Australian Cyber Security Centre and the UK's National Cyber Security Centre (NCSC) have been collaborating on an investigation and have issued a joint advisory through the Cyber Centre, and two malware analysis reports used in the campaign - Line Dancer and Line Runner. Other national security agencies have issued subsequent advisories, including the Norwegian National Cyber Security Centre (NCSC) who are requesting concrete feedback on findings related to impacted Cisco devices or observed traffic between threat-actor controlled infrastructure and Cisco devices.
The blogpost from Talos outlines how two of the vulnerabilities were exploited to escalate privileges and to establish persistence. Malicious code includes what is referred to as Line Runner and Line Dancer.
Line Runner is a persistent webshell enabling threat actors to upload and execute arbitrary Lua scripts. Line Runner intercepts HTTP requests to the ASA, looks for an HTTP request with a set of 32-character parameters that are victim-dependent, and if they match, the payload contained within one of these parameters is written to a Lua script and executed.
Line Dancer is an in-memory implant enabling threat actors to upload and execute arbitrary shellcode/commands received from the host-scan-reply field, which is typically used in later parts of an SSLVPN session establishment process.
Exploitation of the vulnerabilities requires enabled SSL VPN, IPsec IKEv2 VPN with “client services”, or exposure of the HTTPS administration interface.
As of 25.04.2024, the initial access vector in the campaign remains unknown.
Threat Intelligence assessment
Cisco describes in its blog that the ArcaneDoor campaign targets network devices from multiple vendors. The initial vector in the campaign is unknown. This means that there may be one or more zero-day vulnerabilities that allow an external attacker under certain conditions to bypass authentication, gain a foothold on the device, and achieve administrator rights.
Cisco has released SNORT signatures to detect implants or associated behaviours:
- CVE-2024-20353 (ASA DOS/Reboot) - 3:63139
- ‘Line Runner’ – Persistence Mechanism Interaction – 3:62949
- ‘Line Dancer’ – In-Memory Only Shellcode Interpreter Interaction – 3:45575
These signatures are closed-source and there is little information about the vulnerabilities available to implement other effective detections.
NCSC-UK have also released a YARA rule in order to detect the persistent Line Runner backdoor. There is currently no YARA rule available for the in-memory backdoor Line Dancer.
According to Cisco the targeting is limited to a few of their customers, which indicate that this is a highly targeted campaign. We recommend customers operating within or supplying critical national functions to be weary and look for indicators released by Cisco as well as follow the situation closely in order to implement detections and look for hunting opportunities
Affected systems
The following products are affected:
- Cisco Adaptive Security Appliance (ASA)
- Cisco Firepower Threat Defense (FTD)
The Canadian Centre for Cyber Security are reporting that the affected products are predominantly Cisco ASA devices, series ASA55xx and running firmware ASA versions 9.12 and 9.14.
Recommendations
mnemonic recommends that you do the following:
- Install security updates as soon as possible. As of this publication the most recent versions available are:
- 9.16.4.57
- 9.18.4.22
- 9.20.2.10
- Follow Cisco's advice on how to verify if you have been compromised (see Recommendations on the Talos blogpost)
- Ensure that devices are logging to a centralised log repository
- Logging on devices should be as verbose as possible until the initial vector has been identified
- Restrict device access to only those countries from which you need to establish connections from