Hackers Exploit Cisco Firewall Zero-Days to Hack Government Networks

Security researchers at Cisco Talos have uncovered a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 (STORM-1849).

This campaign targeted government networks globally by exploiting multiple zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls.

The attack chain leveraged two custom malware implants – “Line Dancer” and “Line Runner” – to gain persistent access and remote control over compromised ASA devices.

Line Dancer was an in-memory shellcode interpreter that enabled executing arbitrary payloads, while Line Runner provided a persistent backdoor by abusing a legacy VPN client pre-loading functionality.

“Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While Cisco researchers have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) that were abused in this campaign.”

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Initial Compromise and Line Dancer Implant

The initial attack vector used to compromise ASA firewalls remains unknown. However, once access was obtained, the hackers deployed the Line Dancer implant – a memory-resident shellcode interpreter.

This allowed them to upload and execute malicious payloads via the host-scan-reply field of the SSL VPN session establishment process.

Line Dancer provided the capability to disable logging, capture device configurations, sniff network traffic, execute CLI commands, and even bypass authentication mechanisms.

It hooked critical functions like crash dumps to hinder forensic analysis and rebooted devices to remove itself from memory.

Persistent Line Runner Backdoor

To maintain access, the hackers exploited two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) to install the Line Runner persistent backdoor.

This leveraged a legacy feature that allowed pre-loading VPN client bundles on ASAs.

Line Runner consisted of Lua scripts that created a hidden directory, planted a web content file acting as a backdoor, and modified system scripts to copy a malicious ZIP file for execution on every boot.

The threat actor’s ZIP file has the following files:

This gave the attackers a persistent HTTP-based backdoor that survived software upgrades and reboots.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..

Anti-Forensics and Attribution

The ArcaneDoor campaign demonstrated advanced anti-forensics capabilities, modifying core dump functions, disabling logging, and hooking authentication processes to hide their activities.

These operational security measures, combined with developing bespoke malware implants and chaining of zero-days, strongly suggest a state-sponsored threat actor.

While Cisco has released patches for the exploited vulnerabilities, organizations should urgently update their ASA firewalls and follow the recommended incident response procedures to detect and remediate potential compromises from this campaign.

Perimeter network devices like firewalls are lucrative targets for espionage actors because they provide a direct intrusion point into sensitive networks.

The ArcaneDoor campaign underscores the importance of prompt patching, secure configurations, and proactive monitoring of such critical infrastructure components.

Combat Email Threats with Free Phishing Simulations: Email Security Awareness Training ->Try Free Demo 

Indicators of Compromise

Likely Actor-Controlled Infrastructure: 

192.36.57[.]181 
185.167.60[.]85 
185.227.111[.]17 
176.31.18[.]153 
172.105.90[.]154 
185.244.210[.]120 
45.86.163[.]224 
172.105.94[.]93 
213.156.138[.]77 
89.44.198[.]189 
45.77.52[.]253 
103.114.200[.]230 
212.193.2[.]48 
51.15.145[.]37 
89.44.198[.]196 
131.196.252[.]148 
213.156.138[.]78 
121.227.168[.]69 
213.156.138[.]68 
194.4.49[.]6 
185.244.210[.]65 
216.238.75[.]155  

Multi-Tenant Infrastructure:

5.183.95[.]95 
45.63.119[.]131 
45.76.118[.]87 
45.77.54[.]14 
45.86.163[.]244 
45.128.134[.]189    
89.44.198[.]16 
96.44.159[.]46 
103.20.222[.]218 
103.27.132[.]69 
103.51.140[.]101 
103.119.3[.]230 
103.125.218[.]198 
104.156.232[.]22 
107.148.19[.]88 
107.172.16[.]208 
107.173.140[.]111 
121.37.174[.]139 
139.162.135[.]12 
149.28.166[.]244 
152.70.83[.]47 
154.22.235[.]13 
154.22.235[.]17 
154.39.142[.]47  
172.233.245[.]241 
185.123.101[.]250 
192.210.137[.]35  
194.32.78[.]183 
205.234.232[.]196  
207.148.74[.]250 
216.155.157[.]136 
216.238.66[.]251 
216.238.71[.]49 
216.238.72[.]201 
216.238.74[.]95 
216.238.81[.]149 
216.238.85[.]220 
216.238.86[.]24  

Update: Cisco has released updates for Zero Day vulnerabilities; more details can be found here.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

55 mins ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

13 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

17 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago