Latest Headline

A sophisticated espionage campaign, dubbed "ArcaneDoor," is targeting government entities and organizations within critical infrastructure sectors. This campaign exploited two vulnerabilities in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, starting in April 2024.  

Key Points:

• Discovered in late 2023

• Linked to state-sponsored activities, likely China 

• 2 IOCs as of publication

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out ArcaneDoor’s Threat Board for any updates or join the waitlist to be in the know for every threat.

ArcaneDoor Campaign Summary

The ArcaneDoor campaign has emerged as a sophisticated cyber espionage effort that leverages zero-day vulnerabilities in Cisco's security appliances to target governmental networks globally. It exploits two vulnerabilities within Cisco’s ASA and FTD systems, identified as CVE-2024-20353 and CVE-2024-20359. These vulnerabilities allow attackers to execute arbitrary code and maintain persistence on the devices, even through reboots, which significantly enhances their ability to conduct espionage and maintain long-term access to sensitive environments.

Cisco has responded swiftly by releasing patches for these vulnerabilities and urging users to update their devices to protect against these attacks.

• Severity: Critical

• Maturity: Mainstream

• IOCs: 0 Malware hashes and 2 vulnerabilities

• Targets: 1 tech target, 3 industry targets, and 12 geo targets

Learn more about Fletch’s metrics in the Fletch Help Center.

ArcaneDoor Campaign Victims and Motivations

The ArcaneDoor campaign targeted government networks across the globe in order to execute malicious payloads and perform various actions like disabling logging and capturing device configurations. 

Research by Censys points towards the involvement of a China-based actor, highlighted by connections to major Chinese networks and the discovery of Chinese-developed anti-censorship software. This analysis is supported by the presence of SSL certificates and attacker-controlled IP addresses linked to China, with ongoing activity indicated by the fact that half of the identified IPs remain online.

ArcaneDoor Campaign Tactics

ArcaneDoor's methodology includes two specific tools: Line Runner and Line Dancer. Line Runner is a persistent backdoor that allows the threat actors to execute arbitrary Lua scripts and manipulate web traffic, effectively maintaining control over compromised devices. Line Dancer is deployed as an in-memory shellcode loader that facilitates various espionage activities such as data exfiltration and command execution without leaving a significant footprint on the device's storage.

The ArcaneDoor campaign demonstrates strategic use of network perimeter devices as entry points. These devices are critical for data flow management into and out of networks, making them ideal targets for establishing long-term access to sensitive environments. The fact that these vulnerabilities allow attackers to execute code and maintain persistence even after device reboots compounds the threat.

Mitigation Advice

At the time of publication this was the mitigation advice against ArcaneDoor:

Short-Term:

• Verify Device Integrity: Follow Cisco’s guidance to verify the integrity of ASA or FTD devices to ensure they haven’t been compromised. 

• Patch Systems Immediately: Apply the latest security updates released by Cisco for ASA and FTD devices to address CVE-2024-20353 and CVE-2024-20359 vulnerabilities.

Long-Term:

• Limit the use of PowerShell to only administrators and restrict what commands can be executed.

• Install and regularly update antivirus software on all company devices.

• Educate employees on safe online behavior and implement strong security policies.

• Focus on monitoring and detecting suspicious activities within your network.

• Install script blocking extensions and adblockers on all company computers.

You can check out the most recent mitigation measures by creating an account when you join the Fletch waitlist.

Communication 

On top of mitigation advice, Fletch also provides Beta AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:

For employees:

For customers:

For more templates for your different stakeholders, create a workspace when you join the Fletch waitlist. 

Takeaway

In summary, the ArcaneDoor campaign is a clear reminder of the persistent threat posed by state-sponsored cyber actors. Organizations are advised to apply the latest security patches, monitor their network devices for signs of compromise, and implement robust detection tools to safeguard against such advanced threats.

ArcaneDoor is just one example of an ever evolving threat that requires in-depth cyber intelligence to stay on top of. Fletch helps you keep track of, and prioritizes, them all. 

As the de facto record on the threat landscape, our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, detect threats to your tech and people early, or simply to become an instant expert on any threat at any time. 

Learn more about Fletch’s threat intelligence or join the waitlist and try it for yourself.

1. Artic Wolf [CVE-2024-20353 and CVE-2024-20359: Cisco ASA and FTD Vulnerabilities Exploited by State-Sponsored Threat Actor in Espionage Campaign “ArcaneDoor”](https://arcticwolf.com/resources/blog/cve-2024-20353-and-cve-2024-20359/)

2. SecurityWeek [ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China](https://www.securityweek.com/arcanedoor-espionage-campaign-targeting-cisco-firewalls-linked-to-china/)

3. GBHackers on Security [Hackers Exploit Cisco Firewall Zero-Days To Hack Government Networks](https://gbhackers.com/hackers-exploit-cisco-firewall-zero-days-to-hack-government-networks/)

4. censys [Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor](https://censys.com/analysis-of-arcanedoor-threat-infrastructure-suggests-potential-ties-to-chinese-based-actor/)