Global government networks breached in 'ArcaneDoor' espionage campaign

Threat actors compromised networks using Cisco zero-day exploits

Global government networks breached in 'ArcaneDoor' espionage campaign

Image:
Global government networks breached in 'ArcaneDoor' espionage campaign

Cisco issued a security alert on Wednesday detailing a large-scale cyber espionage campaign dubbed "ArcaneDoor" that targeted government networks worldwide.

The campaign, launched by a previously unknown threat actor tracked as UAT4356 by Cisco Talos, exploited two zero-day vulnerabilities in Cisco's widely used Adaptive Security Appliance (ASA) firewalls.

The attackers employed a sophisticated attack chain that involved exploiting these vulnerabilities, identified as CVE-2024-20353 (denial-of-service) and CVE-2024-20359 (persistent local code execution), to install custom backdoors on compromised devices.

While the initial method used by UAT4356 to gain access to victim networks remains unclear, the attackers deployed two custom malware tools - "Line Dancer" and "Line Runner" - once inside.

Line Dancer acts as an in-memory shellcode loader, allowing attackers to remotely execute commands on compromised firewalls. This could include disabling security logs, stealing network configurations, exfiltrating captured packets, and potentially moving laterally within the network.

Line Runner grants attackers the ability to execute arbitrary Lua code on compromised systems. Cisco characterised the attackers' tools as bespoke, indicating a sophisticated understanding of the targeted devices, a hallmark of state-sponsored actors.

The investigation was initiated after a concerned customer contacted Cisco's security team in early 2024. The researchers found that the attackers had been active since at least November 2023.

Most attacks occurred between December and January, targeting government networks globally.

Evidence suggests UAT4356, also tracked as STORM-1849 by Microsoft, may have been developing its capabilities since July 2023.

In response to these alarming developments, Cisco issued security updates to patch the two zero-day vulnerabilities.

The company now strongly advises all customers to upgrade their devices with the latest software to fortify defences against potential attacks.

Furthermore, admins are encouraged to monitor system logs for any indications of unscheduled reboots, unauthorised configuration alterations, or suspicious credential activity.

Cisco underscores the critical role of edge devices, like firewalls, in securing organisational networks.

The researchers warn that such devices are prime targets for espionage campaigns, as they offer a foothold for attackers to infiltrate internal networks and steal sensitive data.

"Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications," Cisco researchers wrote.

"In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organisations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments."

Earlier this month, researchers from cybersecurity firm Mandiant said they had identified multiple China-linked hacker groups exploiting security vulnerabilities in Ivanti appliances to gain unauthorised access to targeted networks.

The researchers observed advanced tactics employed by these threat actors to infiltrate target environments and move laterally within them.

Among the identified threat groups, Mandiant highlighted UNC5291, which it assessed with medium confidence to be associated with Volt Typhoon, focusing primarily on the US energy and defence sectors.