Hackers Exploit Cisco Firewall Zero-Days to Hack Government Networks

Security researchers at Cisco Talos have uncovered a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 (STORM-1849).

This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls.

The attack chain leveraged two custom malware implants – “Line Dancer” and “Line Runner” – to gain persistent access and remote control over compromised ASA devices.

Line Dancer was an in-memory shellcode interpreter that enabled executing arbitrary payloads, while Line Runner provided a persistent backdoor by abusing a legacy VPN client pre-loading functionality.

“Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While Cisco researchers have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) that were abused in this campaign.”

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Initial Compromise and Line Dancer Implant

The initial attack vector used to compromise ASA firewalls remains unknown. However, once access was obtained, the hackers deployed the Line Dancer implant – a memory-resident shellcode interpreter.

This allowed them to upload and execute malicious payloads via the host-scan-reply field of the SSL VPN session establishment process.

Line Dancer provided the capability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.

It hooked critical functions like crash dumps to hinder forensic analysis and rebooted devices to remove itself from memory.

Persistent Line Runner Backdoor

To maintain access, the hackers exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install the Line Runner persistent backdoor.

This leveraged a legacy feature that allowed pre-loading VPN client bundles on ASAs.

Line Runner consisted of Lua scripts that created a hidden directory, planted a web content file acting as a backdoor, and modified system scripts to copy a malicious ZIP file for execution on every boot.

The threat actor’s ZIP file has the following files:

This gave the attackers a persistent HTTP-based backdoor that survived software upgrades and reboots.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data

Anti-Forensics and Attribution

The ArcaneDoor campaign demonstrated advanced anti-forensics capabilities, modifying core dump functions, disabling logging, and hooking authentication processes to hide their activities.

These operational security measures, combined with developing bespoke malware implants and chaining of zero-days, strongly suggest a state-sponsored threat actor.

While Cisco has released patches for the exploited vulnerabilities, organizations should urgently update their ASA firewalls and follow the recommended incident response procedures to detect and remediate potential compromises from this campaign.

Perimeter network devices like firewalls are lucrative targets for espionage actors because they provide a direct intrusion point into sensitive networks.

The ArcaneDoor campaign underscores the importance of prompt patching, secure configurations, and proactive monitoring of such critical infrastructure components.

Combat Email Threats with Free Phishing Simulations: Email Security Awareness Training ->Try Free Demo

Indicators of Compromise

Likely Actor-Controlled Infrastructure:

192.36.57[.]181
185.167.60[.]85
185.227.111[.]17
176.31.18[.]153
172.105.90[.]154
185.244.210[.]120
45.86.163[.]224
172.105.94[.]93
213.156.138[.]77
89.44.198[.]189
45.77.52[.]253
103.114.200[.]230
212.193.2[.]48
51.15.145[.]37
89.44.198[.]196
131.196.252[.]148
213.156.138[.]78
121.227.168[.]69
213.156.138[.]68
194.4.49[.]6
185.244.210[.]65
216.238.75[.]155

Multi-Tenant Infrastructure:

5.183.95[.]95
45.63.119[.]131
45.76.118[.]87
45.77.54[.]14
45.86.163[.]244
45.128.134[.]189
89.44.198[.]16
96.44.159[.]46
103.20.222[.]218
103.27.132[.]69
103.51.140[.]101
103.119.3[.]230
103.125.218[.]198
104.156.232[.]22
107.148.19[.]88
107.172.16[.]208
107.173.140[.]111
121.37.174[.]139
139.162.135[.]12
149.28.166[.]244
152.70.83[.]47
154.22.235[.]13
154.22.235[.]17
154.39.142[.]47
172.233.245[.]241
185.123.101[.]250
192.210.137[.]35
194.32.78[.]183
205.234.232[.]196
207.148.74[.]250
216.155.157[.]136
216.238.66[.]251
216.238.71[.]49
216.238.72[.]201
216.238.74[.]95
216.238.81[.]149
216.238.85[.]220
216.238.86[.]24

Update: Cisco has released updates for Zero Day vulnerabilities; more details can be found here.