Introduction
Cisco Talos this week confirmed that customer perimeter network devices are being targeted in an espionage-focused attack.
‘ArcaneDoor’ is the name given to the campaign by threat actor UAT4356/STORM-1849. This campaign targets Cisco ASA firewall affected by the following vulnerabilities:
CVE-2024-20353 – Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service Vulnerability. CVSSv3: 8.6
This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.
CVE-2024-20359 – Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability. CVSSv3: 6.0
This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior.
Two types of malware are associated with the ArcaneDoor campaign:
- ‘Line Dancer’ – in-memory malware for executing commands and evading analysts
- ‘Line Runner’ – backdoor for maintaining persistence
The Cisco Talos blog post has a forensic analysis of these malware and methods for identification.
Recommendations
Patches have been released for the above vulnerabilities and should be installed a matter of priority. Actions also have to be taken to ensure there are no artifacts remaining from a breach.
The Cisco Talos blog post lists known IoC IP’s related to the ArcaneDoor campaign. If possible, add these to a firewall blocking list and/or an IDS/IPS solution.