April 25, 2024 at 12:06PM
A state-sponsored threat actor named UAT4356 conducted a global cyber espionage campaign by exploiting two Cisco zero-day vulnerabilities in firewall devices. Dubbed “ArcaneDoor,” the campaign targeted government networks and utilized custom backdoor malware called “Line Dancer” and “Line Runner.” Organizations are advised to patch their systems and monitor for any signs of compromise.
The meeting notes present an overview of the ArcaneDoor cyber espionage campaign targeting Cisco Adaptive Security Appliance (ASA) firewall devices. The campaign, carried out by a threat actor tracked as UAT4356, involved the exploitation of two Cisco zero-day vulnerabilities to implant and execute commands across a small set of Cisco customers. The primary payloads of the campaign are two custom backdoors named “Line Dancer” and “Line Runner,” which were used for various malicious activities including configuration and modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.
The notes also emphasize the importance of properly patching perimeter devices and implementing strong multifactor authentication (MFA) to protect against similar cyberattacks. Furthermore, the meeting revealed indicators of compromise (IoCs) that customers can look for to detect potential ArcaneDoor cyberattack activity and provided steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied.
Additionally, the scope of the campaign includes evidence of the threat actor’s interest in and potential targeting of devices from Microsoft and other vendors, highlighting the need for organizations to remain vigilant and maintain close security monitoring of their perimeter devices.
The notes conclude by emphasizing the importance of organizations focusing on post-compromise tactics, techniques, and procedures (TTPs) of threat actors as part of a layered approach to defensive network operations. This includes testing known adversary behaviors and maintaining up-to-date hardware and software versions and configurations to address potential threats to perimeter devices.