A malware campaign, called “Arcane Door”, particularly targets networks protected by Cisco Adaptive Security Appliance (ASA) software. Once infiltrated, hackers use at least two security vulnerabilities to introduce two malware, “Line Runner” and “Line Dancer”.
The United States and China probably won’t vacation together. At the heart of a merciless cyberwar, a new malware campaign revealed by Cisco Talos researchers, this Wednesday April 24, 2024.
Arcane Door, as they nicknamed it, is broken down into two distinct phases: the exploitation of 2 Zero Day flaws to penetrate the ASA firewall platforms before injecting two back doors. Ultimately, the idea is for hackers to execute commands remotely and exfiltrate sensitive data. Indeed, the targeted networks are supposed to protect government sites around the world, but also telecommunications or energy management sites.
Cisco has neither identified nor formally accused a particular cyberhacker network, but its investigation, carried out jointly with Microsoft, leads straight to China.
“ CVE-2024-20359 ” And ” CVE-2024-20353 » ,
2 Zero Day security flaws exploited to inject 2 back doors, “Line Runner” and “Line Dancer”
Concretely, Arcane Door is deployed in two stages. The first phase consists of exploiting two zero-day vulnerabilities (flaws that have not received any known fixes): CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense devices. (FTD),
CVE-2024-20353 is a high severity vulnerability rated on CVSS 8.6. It is located in the management web and VPN servers for Cisco ASA and FTD devices, and allows certain remote commands to be performed on protected devices such as a reset causing a denial of service.
By exploiting the less severe but equally damaging CVE-2024-20359 flaw, which obtains a CVSS score of 6.0, the hacker can execute arbitrary code with root-level privileges provided that he has administrator access.
Once these two flaws have been exploited, the path is clear to inject two malware which will each have a specific role to play in the campaign. The first, Line Dancer, is a memory implant that executes shellcode payloads, disables syslog, executes commands, causes device reboots, escaping analysis. It can also trick the AAA function to allow a connection via a VPN tunnel with magic number authentication. The second, Line Runner, is a persistent web shell. It can download and run Lua scripts, which are like special instructions.
China suspected of being behind Arcane Door
Cisco, however, reacted by publishing fixes for these two flaws on Wednesday, April 24, but is only at the beginning of its investigation. “ We have not determined the initial access vector used in this campaign. To date, we have not identified any evidence of pre-authentication exploitation », We can read on the company blog.
However, a few clues lead to a probable culprit.
Cisco notes in fact that the group’s infiltration methods, which they call
UAT4356 was discovered at the same time as Russian and Chinese hacker gangs were also infiltrating the same type of sensitive infrastructure.
“ This actor used tailored tools that demonstrated a clear focus on espionage and deep knowledge of the devices they targeted, hallmarks of a sophisticated state-sponsored actor “, the company said.
From there to identifying the Arcane Door campaign as Chinese, there is only one step that Cisco and Microsoft (with which the investigation was carried out) cannot take.
Source : Ars Technica, Cisco Talos
0