Nation-State Hackers Breach Cisco Devices in “ArcaneDoor” Espionage Campaign

ArcaneDoor campaign (CVE-2024-20353 and CVE-2024-20359)

A sophisticated and ongoing cyberattack dubbed “ArcaneDoor” has breached Cisco firewalls across the globe. The campaign is linked to a state-sponsored threat actor who employed two zero-day vulnerabilities, giving them extensive control over compromised devices. Security experts at Cisco Talos, along with external partners, uncovered the attack, which appears designed for long-term espionage on critical infrastructure targets.

Attack Methodology

The hackers leveraged the following vulnerabilities to gain a foothold in targeted systems:

  • CVE-2024-20353: Allows attackers to cause a denial of service (DoS) by sending crafted HTTP requests, triggering device reloads.
  • CVE-2024-20359: Enables attackers with administrator access to execute arbitrary code with root privileges, potentially leading to full system compromise. The code can persist even after the device reboots.

Once inside, the threat actors deployed two custom backdoors:

  • “Line Runner”: Used for configuration modifications and network surveillance.
  • “Line Dancer”: Facilitates network traffic capture, data exfiltration, and potentially lateral movement within infected networks.

Targets and Motives

The ArcaneDoor campaign displays hallmarks of a state-sponsored operation, with victims observed in government sectors worldwide. Intelligence suggests that the primary goal is espionage, with a particular focus on telecommunications providers and energy sector organizations – both of which are critical parts of a nation’s infrastructure.

Cisco’s Response and Security Recommendations

Cisco has released security updates to address CVE-2024-20353 and CVE-2024-20359. Here’s what organizations need to do immediately:

  • Patch Systems: Apply the security updates to all vulnerable Cisco ASA and Firepower Threat Defense (FTD) devices as soon as possible. There are no known workarounds.
  • Monitor for Compromise: Review system logs for signs of configuration changes, unexpected reboots, or anomalous activity.
  • Enhance Network Hygiene: Regularly update device software and hardware. Implement strong security configurations and continuously monitor your network for suspicious behavior.

The Rise of Attacks on Network Devices

The ArcaneDoor campaign underscores the growing threat to perimeter network devices. These devices are highly attractive to state-backed hackers as they provide a direct path into an organization. Vigilant patching and strong security practices are more crucial than ever to safeguard sensitive data and critical infrastructure.