ArcaneDoor Campaign: Cisco Zero-Day Vulnerabilities Threaten 162K Hosts Worldwide
Recent findings by Cisco Talos have unveiled a coordinated threat actor campaign dubbed “ArcaneDoor,” targeting government-owned network devices globally. This campaign has exploited previously unknown zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, affecting an estimated 162,735 hosts worldwide.
The threat, identified by Cisco Talos, began its operations in January 2024. The campaign has involved sophisticated tactics targeting perimeter network devices from various vendors, with Cisco devices being a primary focus. Three zero-day vulnerabilities were identified—CVE-2024-20353, CVE-2024-20359, and CVE-2024-20358—with the first two being actively exploited.
“As of Monday, April 29, 2024, Censys observed over 162,700 hosts running Cisco Adaptive Security Appliance software online (services.software.product=”Adaptive Security Appliance”). The digital footprint of Firepower Threat Defense hosts is significantly smaller, with less than ten observed online. Censys does not have visibility into the software versions of these products,” reads the Censys report.
Map of All Exposed Censys-visible Cisco ASA Devices Globally on April 29, 2024 | Image: Censys
The global impact of this campaign is significant, with Censys reporting over 51,000 Cisco ASA devices exposed in the United States alone. Other countries with high numbers of exposed devices include China, Germany, the United Kingdom, and Russia, highlighting the widespread popularity and critical nature of Cisco ASA software in government and enterprise networks.
Image: Censys
Cisco has released security updates that address the exploited vulnerabilities. All organizations using Cisco ASA or FTD software must immediately apply these patches. Additionally, Cisco has provided a procedure to help administrators check the integrity of their devices to determine if they have already been compromised.
The ArcaneDoor campaign underscores the danger posed by state-sponsored hacking groups and reminds us that even seemingly secure systems can have hidden weaknesses. Network administrators must prioritize continuous vigilance, and proactive patching, and implement best practices to protect their critical infrastructure.
