State-Sponsored Hackers Perform Spying Using Two Cisco Zero-Day Vulnerabilities -

Post Views: 305

State-Sponsored Hackers Perform Spying Using Two Cisco Zero-Day Vulnerabilities

Two zero-day vulnerabilities in Cisco networking equipment were exploited by a new malware campaign in order to deliver custom malware and enable the secret gathering of information on target systems.

The activity in question was designated ArcaneDoor by Cisco Talos, which ascribed its origin to a sophisticated state-sponsored actor known as UAT4356 (also referred to as Storm-1849 by Microsoft) that was previously undocumented.
“UAT4356 stationed two backdoors as elements of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were employed jointly to carry out malicious activities on-target, that involved configuration alterations, reconnaissance, network traffic capture/exfiltration and potentially lateral movement,” according to Talos.

The unauthorized accesses, initially identified and verified in early January 2024, involve the utilization of two susceptibilities:
CVE-2024-20353 (CVSS score: 8.6) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial-of-Service Vulnerability.
CVE-2024-20359 (CVSS score: 6.0) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability.

It is noteworthy to mention that a zero-day exploit refers to a method or assault employed by a malevolent entity to exploit an unidentified security susceptibility in order to infiltrate a system.Although the second vulnerability permits arbitrary code execution with root privileges by a local adversary, it necessitates administrator-level privileges in order to be exploited. In conjunction with CVE-2024-20353 and CVE-2024-20359, an internal security testing discovery of a command injection vulnerability in the same appliance (CVE-2024-20358, CVSS score: 6.0) is addressed.

The deficiencies have been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), mandating that federal agencies implement the vendor-supplied remedies by May 1, 2024.
While the precise initial access path utilized to compromise the devices remains unknown at this time, UAT4356 reportedly initiated preparations for it in July 2023.

After establishing a firm footing, two implants called Line Dancer and Line Runner are implemented. Among these implants, Line Dancer functions as an in-memory backdoor, allowing malicious actors to upload and execute arbitrary shellcode payloads. Such payloads may consist of actions such as disabling system logs or exfiltrating packet captures.

In contrast, Line Runner is a persistent Lua implant that operates over HTTP and is integrated into the Cisco Adaptive Security Appliance (ASA). Its ability to endure reboots and upgrades is facilitated by its utilization of the aforementioned zero-day vulnerabilities. It has been observed that line dancers are utilizing it to retrieve information.
A joint advisory issued by cybersecurity agencies from Australia, Canada, and the United Kingdom states, “Line Runner may be present on a compromised device even if Line Dancer is absent (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors).”

Throughout all stages of the attack, UAT4356 allegedly exhibited strict vigilance in hiding digital imprints and adeptness in utilizing complex techniques to circumvent memory forensics and diminish the likelihood of detection, thereby augmenting its sophistication and elusive characteristics.

Furthermore, this indicates that the threat actors possess a comprehensive comprehension of the ASA’s inner workings as well as the “forensic operations frequently executed by Cisco to validate the integrity of network devices.”

It is unknown which nation is responsible for ArcaneDoor; however, in the past, Chinese and Russian state-backed hackers have targeted Cisco routers for the purpose of cyber espionage. Additionally, the precise number of clients that were compromised as a result of these attacks was not disclosed by Cisco Talos.

The recent series of attacks that specifically targeted Barracuda Networks, Fortinet, Ivanti, Palo Alto Networks, and VMware once more underscores the heightened emphasis on edge devices and platforms, including email servers, firewalls, and VPNs, which have historically been neglected by endpoint detection and response (EDR) solutions.

“Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,” Talos indicated.
“In addition to being closely monitored from a security standpoint, these devices must be patched habitually and promptly, utilizing the most recent hardware and software configurations and versions, as they serve as a critical path for data entering and exiting the network. By establishing a foothold on these devices, an actor can pivot directly into an organization, modify or reroute traffic, and observe network communications.”

About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.