A recent malware campaign has surfaced, raising alarms across networks secured by Cisco’s Adaptative Security Appliance (ASA). The campaign, dubbed “Arcane Door”, has set its sights on some significant networks worldwide. The objective of this intrusion is two-fold: executing remote commands and extracting sensitive data.
Networks Under Threat
The networks under threat include those safeguarding government websites worldwide, along with telecommunication and energy management websites. The suspects behind this malicious activity have not been formally accused yet, despite an ongoing investigation by Cisco in collaboration with Microsoft pointing towards China.
The Security Flaws in Question
The intruders exploit two Zero Day security flaws labeled as “CVE-2024-20359” and “CVE-2024-20353”. The former, CVE-2024-20353, is a high severity flaw that opens a pathway for the execution of specified remote commands on the protected devices. On the other hand, the latter, CVE-2024-20359, is less severe but allows the execution of any code with root-level privileges, given administrative access.
The Dual Malware Threat
Entering via these two security loopholes are the malwares known as “Line Runner” and “Line Dancer”. With Line Dancer, a memory implant is created which executes shellcode payloads, turns off syslog, executes commands, triggers device reboots, eludes analysis and can manipulate the AAA function. Line Runner, on the other hand, is a persistent web shell that has the capability of downloading and executing Lua scripts.
Patches Released and Ongoing Investigation
Cisco has responded to this threat by releasing patches for the two exploited flaws. The investigation is still underway with no clear evidence of pre-authentication exploitation discovered so far. The infiltration methods were found to be used by a group designated as UAT4356. This discovery happened concurrently as Russian and Chinese hacker gangs were found infiltrating similar sensitive infrastructures.
State-Sponsored Espionage Indicated
The actor, UAT4356, used custom tools specializing in espionage. The deep knowledge of the targeted devices suggests a sophisticated, state-sponsored actor. Despite the ongoing investigation and indications towards a particular nation, Cisco and Microsoft are not ready to explicitly identify China as the orchestrator of the Arcane Door campaign.
Hi, my name is Disha and I’m a passionate writer and editor at “Jason Deegan”. With a keen interest in all things tech, I strive to bring you the latest news and updates from the world of high-tech.