.png)
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors.
This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) firewalls.
The attack chain leveraged two custom malware implants, “Line Dancer” and “Line Runner,” to gain persistent access and remote control over compromised ASA devices.
Line Dancer was an in-memory shellcode interpreter that allowed arbitrary payloads to be executed, while Line Runner provided a persistent backdoor by abusing the preloading functionality of a legacy VPN client.
Line Dancer provided the ability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.
It plugged critical functions such as memory dumps to make forensic analysis difficult and rebooted devices to remove themselves from memory.
Recommendations:
Cisco device users are recommended to update their devices to the corrected software versions to block potential attacks. It is also advisable to closely monitor system logs for signs of suspicious activity and set up multi-factor authentication (MFA) for added security.
Record events in a central, secure location. And configure strong and multi-factor authentication (MFA).
Follow the instructions Cisco has provided to verify the integrity of ASA or FTD devices in its guidance.
Customers can use the following steps to verify the integrity of their Cisco ASA or FTD devices:
1. Log in to the suspected device CLI.
2. Note: On devices that are running Cisco FTD Software, switch to the Cisco ASA CLI using the system support diagnostic-cli command.
3. Use the enable command to switch to privileged EXEC mode.
4. Note: On devices running Cisco FTD Software, the enable password is blank.
5. Collect the outputs of the following commands:
- Show version
- Check /SHA-512 system:memory/text
- Debug menu memory
6. Open a case with the Cisco Technical Assistance Center (TAC). In the case, reference the ArcaneDoor keyword and upload the data that was collected in Step 3.
Priority: High
Indicators of Compromise (IoC):
Infrastructure displaced by Actor:
192.36.57[.]181
185.167.60[.]85
185.227.111[.]17
176.31.18[.]153
172.105.90[.]154
185.244.210[.]120
45.86.163[.]224
172.105.94[.]93
213.156.138[.]77
89.44.198[.]189
45.77.52[.]253
103.114.200[.]230
212.193.2[.]48
51.15.145[.]37
89.44.198[.]196
131.196.252[.]148
213.156.138[.]78
121.227.168[.]69
213.156.138[.]68
194.4.49[.]6
185.244.210[.]65
216.238.75[.]155
Multi-Tenant Infrastructure:
5.183.95[.]95
45.63.119[.]131
45.76.118[.]87
45.77.54[.]14
45.86.163[.]244
45.128.134[.]189
89.44.198[.]16
96.44.159[.]46
103.20.222[.]218
103.27.132[.]69
103.51.140[.]101
103.119.3[.]230
103.125.218[.198
104.156.232[.]22
107.148.19[.]88
107.172.16[.]208
107.173.140[.]111
121.37.174[.]139
139.162.135[.]12
149.28.166[.]244
152.70.83[.]47
154.22.235[.]13
154.22.235[.]17
154.39.142[.]47
172.233.245[.]241
185.123.101[.]250
192.210.137[.]35
194.32.78[.]183
205.234.232[.]196
207.148.74[.]250
216.155.157[.]136
216.238.66[.]251
216.238.71[.]49
216.238.72[.]201
216.238.74[.]95
216.238.81[.]149
216.238.85[.]220
216.238.86[.]24
CVE-2024-20353: Denial of service.
CVE-2024-20359: Persistent local code execution.
Comments