April 25, 2024 at 03:01AM
A new state-sponsored malware campaign, named ArcaneDoor by Cisco Talos, used two zero-day flaws in Cisco networking gear to deploy custom malware for covert data collection. The U.S. CISA added the vulnerabilities to its KEV catalog, requiring federal agencies to apply fixes by May 1, 2024. The campaign exemplifies increased targeting of edge devices for cyber espionage.
Here are the key takeaways from the meeting notes:
1. A sophisticated state-sponsored actor, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft, has been identified as the perpetrator behind a new malware campaign called ArcaneDoor.
2. The campaign leveraged two zero-day vulnerabilities in Cisco networking gear, which allowed the deployment of backdoors named ‘Line Runner’ and ‘Line Dancer’ for malicious actions such as configuration modification, reconnaissance, and network traffic capture/exfiltration.
3. The compromised vulnerabilities include CVE-2024-20353 and CVE-2024-20359 in Cisco Adaptive Security Appliance and Firepower Threat Defense Software, both of which have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.
4. The attacker demonstrated meticulous techniques to evade detection, indicating a thorough understanding of the targeted network devices’ inner workings, and suggesting the need for up-to-date hardware, software, and security monitoring of perimeter network devices.
5. The targeting of edge devices and platforms highlights the importance of promptly patching and closely monitoring these devices to prevent intrusion and espionage.
Feel free to reach out if you need any further assistance or information.