ArcaneDoor is a sophisticated, state-sponsored campaign waged by an unknown threat actor that Talos identifies as UAT4356 and Microsoft identifies as STORM-1849. The campaign was discovered by Cisco’s PSIRT and Talos with external partners in the early parts of 2024, though evidence suggests the campaign started as early as July of 2023. The attacker utilized two zero-day vulnerabilities on Cisco Adaptive Security Appliances (ASAs): CVE-2024-20353, a remote denial of service vulnerability, and CVE-2024-20359, an arbitrary code execution vulnerability that requires local administrator access. The initial access technique is undiscovered as of yet. The attacker appears quite sophisticated and has significant steps to obfuscate their campaign.
These two vulnerabilities are not particularly severe in isolation. CVE-2024-20353 is a Denial of Service attack against Cisco ASAs, leaving them unable to utilize their IPS and VPN capabilities. CVE-2024-20359 requires local, authenticated access to exploit. If evidence of exploitation of these two vulnerabilities is found within an organization, the sophisticated threat actor is likely involved. As these two vulnerabilities are now public, we expect less sophisticated attackers to begin to incorporate these vulnerabilities into their toolkits.
Risks
Attackers could exploit software weaknesses to implant malware and obtain persistence on affected devices.
What To Do
- Upgrade to a fixed software release as soon as possible to prevent future attacks. The Canadian Center for Cybersecurity has released detailed, step-by-step instructions on updating your device (Section 4). As of this publication, the most recent available software versions are:
- 9.16.4.57
- 9.18.4.22
- 9.20.2.10
- Verify the integrity of your ASA device. In its post detailing the campaign’s discovery, Cisco Talos gave detailed instructions on how to detect these vulnerabilities and a number of Indicators of Compromise (IOCs). If compromise is found, Cisco Talos is asking organizations to contact their team directly. Additional instructions are available in Cisco’s Event Response posting.
- Identify and review assets or vendors running Cisco ASA:
- Search for CVE-2024-20353 and CVE-2024-20359 or use the ArcaneDoor vulnerability group in Vulnerability Detection.
Resources
- Cisco Talos, “ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices”
- Cisco, “Cisco Event Response: Attacks Against Cisco Firewall Platforms”
- The Canadian Center for Cybersecurity, Cyber Activity Impacting CISCO ASA VPNs
- NIST, “CVE-2024-20353”
- NIST, “CVE-2024-20359”
- May 1, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.