A previously unidentified group of hackers (believed to be nation-state threat actors) is attacking Cisco firewall appliances, and cybersecurity officials say they are targeting government networks and critical infrastructure with spying. I think it's an activity.
Cisco dubbed the campaign “ArcaneDoor” and warned that it targeted devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
The vendor has issued patches for the three zero-day vulnerabilities exploited in the attack and is urging customers to apply them.
A joint advisory from the UK's National Cyber Security Centre, the Canadian Cyber Security Center (CyberCentre) and the Australian Signals Directorate's Australian Cyber Security Center also encourages urgent patching.
The three agencies said in their advisory that they have been monitoring the campaign since early this year and that its sophisticated nature, involving “multiple layers of new technology and simultaneous operations against multiple targets around the world,” is cause for concern. He said he thought so.
“These capabilities demonstrate espionage operations carried out by well-resourced and sophisticated state sponsors,” they said.
“Because VPN services are a critical component of computer network security, vulnerabilities in such services are particularly significant.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two of the bugs to its catalog of known exploited vulnerabilities and is requiring federal civilian agencies to update all affected software by May 1. I ordered them to apply the patch.
The bugs are CVE-2024-20353, an infinite loop vulnerability that can lead to remote denial of service, and CVE-2024-20359, an elevation of privilege vulnerability that allows local privilege escalation from administrator to root. .
The attacker responsible for this attack is tracked by Cisco as UAT4356 and by Microsoft as STORM-1849, but neither Cisco nor any government agency that has expressed concern about this threat I have not commented on whether this is considered to be the case. Link to.
Perimeter network devices are the “perfect point of entry”
In a separate threat advisory, Cisco Talos, the vendor's cyber threat intelligence organization, described the ArcaneDoor campaign as the latest example of state-sponsored attackers targeting perimeter network devices, adding that the threat He said it has spread to vendors.
“These attacker-coveted perimeter network devices are the perfect entry point for campaigns focused on espionage. As the critical path for data entering and exiting the network, these devices must be regularly and quickly patched. “Use the latest hardware and software versions and configurations. Must be closely monitored from a security perspective,” the Talos advisory states.
“By gaining a foothold on these devices, attackers can directly infiltrate organizations, route and modify traffic, and monitor network communications.”
Recent nation-state cyber espionage efforts that fall into the same category as the ArcaneDoor campaign include the efforts of the Chinese-aligned Advanced Persistent Threat (APT) group Volt Typhoon and the Russian-aligned APT Sandworm.
Cisco Talos and international cybersecurity agencies said in an advisory that UAT4356/STORM-1849 deployed two backdoors, “Line Runner'' and “Line Dancer,'' as part of the ArcaneDoor campaign.
Together, the two backdoors were used to perform malicious actions against targeted systems, including configuration changes, reconnaissance, capturing/exfiltrating network traffic, and in some cases lateral movement. Line Runner is a persistent Lua-based web shell for customization features on ASA WebVPN devices, while Line Dancer is an in-memory implant that allows you to upload and execute arbitrary shellcode payloads.
