Cisco warns of state-sponsored cyberattacks targeting government networks – Business
Cisco Systems Inc. today warned that a suspected national-state actor has been actively targeting two zero-days in Cisco products since November to breach government networks.
The campaign, dubbed “ArcaneDoor” and tracked as UAT4356, was first detected by Cisco when they were contacted by a customer earlier this year who reported suspicious activity on their Cisco Adaptive Security Appliances. Subsequent investigation identified additional victims, all of which involved government networks, with the first intrusions found to date back to early November.
Cisco has yet to identify the initial attack vector employed by the attacks; however, during the investigation, they found that the threat actor was exploiting two zero-day vulnerabilities.
The first vulnerability – CVE-2024-20353, is a vulnerability in the management and virtual private network web servers for Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service condition. The second vulnerability – CVE-2024-20359, is a vulnerability in a legacy capability that allowed for the preloading of virtual private network clients and plug-ins that are available in Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software and could allow an authenticated, local attacker to execute arbitrary code with root-level privileges.
The attackers were found to be deploying a memory implant called “Line Dancer,” a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. The second implant, a backdoor called “Line Runner,” is also deployed for persistence and specifically targets the second of the two vulnerabilities, the one relating to a legacy capability in Cisco’s software.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos researchers noted in a blog post. The researchers added that fixes are available for the zero-days.
Discussing the news, Andrew Costis, chapter lead of the Adversary Research Team at security company AttackIQ Inc., told SiliconANGLE that “we’ve seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software, for example Ivanti, Citrix, Cisco, Palo Alto and so on.”
“Once an exploit is actively being used in the wild, it then comes down to the goals and objectives of the actors and groups post-compromise,” Costis added. “While the initial access vector will be unique from one zero-day to the next, the post-compromise TTPs are equally important to focus on.”
