The ArcaneDoor campaign is an example of state-sponsored actors targeting perimeter network devices from various vendors, focusing on espionage. These devices serve as a critical entry point into networks and need regular patching, updated hardware, and close monitoring for security. Identified as UAT4356 by Cisco’s Talos team, the actor utilized backdoors called “Line Runner” and “Line Dancer” to conduct malicious actions on targeted devices, leading to configuration changes, network traffic manipulation, and potential lateral movement.
Cisco uncovered a sophisticated attack chain implanting custom malware across a few customers, including two vulnerabilities (CVE-2024-20353 and CVE-2024-20359). The investigation revealed that these actors are also targeting Microsoft Exchange servers and devices from other vendors besides Cisco. The timeline indicates a variety of activity dating back to July 2023, with most actions concentrated between December 2023 and early January 2024.
The Line Dancer implant, used by UAT4356, operates as a memory-only shellcode interpreter that allows for the execution of arbitrary commands on compromised devices. On the other hand, Line Runner provides persistence on devices by pre-loading VPN clients and plugins. It was observed being used to retrieve information staged through Line Dancer.
The attackers took steps to hinder forensic analysis, showing a thorough understanding of ASA systems. They disabled logging, tampered with functions, and obfuscated commands to evade detection. Furthermore, their infrastructure showed mappings to an OpenConnect VPN Server, indicating a specific level of operation.
To protect against such threats, organizations are advised to follow recommendations published by Cisco, update devices with the provided patches, and employ security measures such as centralized logging and multi-factor authentication. Additional forensic recovery methods and indicators of compromise are provided to help identify potential compromises. Cisco’s Secure Firewall appliances, Umbrella, and Snort Subscriber Rule Set can help detect malicious activity associated with this threat.
Overall, the campaign showcases a high level of sophistication by state-sponsored actors with a focus on espionage and anti-forensic measures, requiring organizations to be vigilant in securing their networks and devices. The investigation was conducted with the support of multiple organizations to uncover the full extent of the threat and provide recommendations for defending against similar attacks.
Article Source
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
