Cisco’s ArcaneDoor Campaign: An Analysis of the Exploitation of Firewall Vulnerabilities

In early 2024, Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos unveiled a cyber espionage campaign dubbed ArcaneDoor, targeting specific Cisco devices running Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software. This campaign involved the deployment of malware, execution of unauthorized commands, and potential data exfiltration from compromised devices.

Discovery and Impact

The attacks leveraged two critical vulnerabilities identified as CVE-2024-20353 and CVE-2024-20359. These vulnerabilities were exploited to implant custom malware and achieve persistence on the targeted devices, compromising their integrity and security.

  1. CVE-2024-20353: A high-severity vulnerability with a CVSS Base Score of 8.6, associated with a Denial of Service flaw in web services. This vulnerability could disrupt the operational capabilities of the devices, making them unresponsive or reboot unexpectedly, facilitating further malicious actions.
  2. CVE-2024-20359: Another high-severity vulnerability, scored at 6.0, enabled persistent local code execution. This flaw allowed attackers to maintain a foothold on the device even after initial exploitation, facilitating long-term espionage and data extraction activities.

Technical Details of the Attack

The ArcaneDoor campaign was characterized by its techniques and a deep understanding of the targeted systems. The attackers used a combination of memory-only and persistent backdoors, namely “Line Dancer” and “Line Runner.”

  • Line Dancer: A memory-resident shellcode interpreter that allowed the execution of arbitrary shellcode submitted through the host-scan-reply field. This field is normally used during SSL VPN or IPsec IKEv2 VPN sessions. By overriding the pointer to the default host-scan-reply code, the attackers could execute commands directly on the device without authentic authentication.
  • Line Runner: A persistent backdoor installed through the exploitation of CVE-2024-20359. This backdoor utilized the device’s functionality to preload VPN clients and plugins. At boot, if a specially crafted ZIP file named following a specific pattern was found, it would execute a script named csco_config.lua, which made various changes to the device’s configuration and enabled persistent HTTP-based backdoor access.

Forensic Identification and Mitigation

To detect and mitigate these threats, Cisco provided detailed instructions:

  • Upgrading Firmware: Users were advised to upgrade their devices with the latest firmware updates that patched the exploited vulnerabilities.
  • Forensic Investigations: For devices suspected to be compromised, Cisco recommended checking for unusual .zip files on disk0:, indicative of Line Runner’s presence. Additionally, examining memory regions for anomalies that could suggest the presence of Line Dancer was advised.

Recommendations for Network Security

Given the sophistication and potential impact of the ArcaneDoor campaign, Cisco has emphasized the importance of maintaining robust security practices:

  • Routine Patching: Keeping all network devices updated with the latest security patches to mitigate vulnerabilities.
  • Enhanced Monitoring: Implementing advanced monitoring strategies to detect unusual activity and potential breaches in network perimeter devices.
  • Strong Authentication: Utilizing strong, multi-factor authentication to safeguard against unauthorized access.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.