Cisco Launches ‘ArcaneDoor’ Cyber Espionage Campaign with Zero-Day Protection

April 26, 2024
1 min read




Summary of Article

TLDR:

  • A state-sponsored threat actor exploited two Cisco zero-day vulnerabilities in firewall devices to install backdoors on government networks globally
  • ArcaneDoor campaign used custom-built backdoors, Line Dancer and Line Runner, to conduct malicious activities on targeted networks

A state-sponsored threat actor has leveraged two Cisco zero-day vulnerabilities in firewall devices to target government networks globally with custom-built backdoors in a cyber espionage campaign known as ArcaneDoor. The threat actor, tracked as UAT4356 by Cisco Talos researchers, exploited a denial-of-service flaw (CVE-2024-20353) and a persistent local execution flaw (CVE-2024-20359) to implant malware and execute commands on a small set of Cisco customers. The primary payloads of the campaign, Line Dancer, and Line Runner, enabled the threat actor to conduct malicious activities like configuration modification, reconnaissance, network traffic capture/exfiltration, and lateral movement on the network. Organizations are advised to ensure all perimeter devices are properly patched and configured for robust security.

Key Points:

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber espionage campaign.

The ArcaneDoor campaign by the threat actor tracked as UAT4356 has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, using a sophisticated attack chain involving exploit of the two vulnerabilities.

The campaign used two custom backdoors, Line Dancer and Line Runner, to conduct malicious activities like configuration and modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on the network.

Organizations are advised to ensure all perimeter devices are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA) to protect against similar cyber espionage campaigns.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and