Cisco Systems Inc. today warned that a suspected national-state actor has been actively targeting two previously unknown security vulnerabilities in Cisco products since November to breach government networks.

The campaign, dubbed “ArcaneDoor” and tracked as UAT4356, was first detected by Cisco when it was contacted by a customer earlier this year. The customer reported suspicious activity on its Cisco Adaptive Security Appliances. Subsequent investigation identified additional victims, all of which involved government networks, with the first intrusions found to date back to early November.

Cisco has yet to identify the initial attack vector employed by the attacks, but during the investigation, it found that the threat actor was exploiting the two so-called zero-day vulnerabilities.

The first vector, designated CVE-2024-20353, is a vulnerability in the management and virtual private network web servers for Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software. It could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service condition.

The second vulnerability, named CVE-2024-20359, allowed for the preloading of virtual private network clients and plug-ins that are available in Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software. It could allow an authenticated, local attacker to execute arbitrary code with root-level privileges.

The attackers were found to be deploying a memory implant called “Line Dancer,” a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. A shellcode is a small piece of code used to exploit a software vulnerability.

The second implant, a backdoor, or means of bypassing security systems, called “Line Runner,” is also deployed for persistence. It specifically targets the second of the two vulnerabilities, the one relating to a legacy capability in Cisco’s software.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos researchers noted in a blog post. The researchers added that fixes are available for the zero-days.

“We’ve seen time and time again critical … vulnerabilities being exploited with all of the mainstream security appliances and software, for example Ivanti, Citrix, Cisco, Palo Alto and so on,” Andrew Costis, chapter lead of the Adversary Research Team at security company AttackIQ Inc., told SiliconANGLE. “Once an exploit is actively being used in the wild, it then comes down to the goals and objectives of the actors and groups post-compromise. While the initial access vector will be unique from one zero-day to the next, the post-compromise tactics, techniques and procedures are equally important to focus on.”

Photo: Wikimedia Commons