Cisco Zero-Day Exploits Used in ArcaneDoor Malware Campaign Targeting Networking Gear

A new malware campaign leveraging zero-day flaws in Cisco networking gear has been uncovered, allowing a sophisticated state-sponsored actor to conduct covert data collection on target environments. The campaign, dubbed ArcaneDoor by Cisco Talos, utilized two backdoors named ‘Line Runner’ and ‘Line Dancer’ to carry out malicious actions such as configuration modification, reconnaissance, and network traffic capture/exfiltration.

The vulnerabilities exploited in this campaign, CVE-2024-20353 and CVE-2024-20359, were first detected in early January 2024. These vulnerabilities, found in Cisco Adaptive Security Appliance and Firepower Threat Defense Software, allowed the attackers to execute arbitrary code with root-level privileges and conduct denial-of-service attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the vendor-provided fixes by May 1, 2024. The exact initial access pathway used by the attackers remains unknown, but they have been preparing for the intrusion since July 2023.

The threat actors behind ArcaneDoor have demonstrated a high level of sophistication in evading detection and hiding their digital footprints. While the country responsible for these attacks is unclear, both Chinese and Russian state-backed hackers have targeted Cisco routers for cyber espionage in the past.

This incident underscores the increased targeting of edge devices and platforms by threat actors, emphasizing the importance of promptly patching vulnerabilities and closely monitoring network security. Perimeter network devices serve as a critical entry point for malicious actors, allowing them to pivot into an organization, reroute traffic, and monitor communications.

For more exclusive content, follow us on Twitter and LinkedIn to stay updated on the latest cybersecurity news and threats.