Cisco reveals zero-day attacks used by hackers to attack government networks in major threat campaign

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Unidentified, sophisticated threat actors, possibly affiliated with nation-states in the East, were found abusing two flaws in Cisco VPNs and firewalls, to drop malware used for espionage. Their targets include governments and critical infrastructure networks all around the world.

A report from Cisco Talos as well as a joint security advisory released by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate's Cyber Security Centre, and the UK's National Cyber Security Centre (NCSC) outlined the campaign, called the campaign “ArcaneDoor”.

The threat actor, tracked as UAT4356 or STORM-1849, depending who you ask, abused two flaws to deliver the malware: CVE-2024-20353 and CVE-2024-20359, which were found in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.

Line Dancer and Line Runner

The researchers aren’t sure on the initial vector used to deliver the malware, but a safe guess would be either with phishing, or social engineering. In any case, the attackers used the flaws to drop Line Dancer and Line Runner, two pieces of malware with different use cases. 

Line Dancer is described as an in-memory implant that can upload and execute arbitrary shellcode payloads. It is capable of a number of things that prevent forensic analysis. Furthermore, it can trick the Authentication, Authorization, and Accounting (AAA) function to allow the threat actors to establish a remote access VPN tunnel.

Line Runner, on the other hand, is described as a persistent web shell that allows the attackers to upload and run arbitrary Lua scripts.

The researchers did not share additional details. The nation-state behind the attacks, the targets, the number of victims, any sensitive data stolen, all these things remain unknown at the time. 

In its writeup, The Register speculates that it could be either China, or Russia, behind the attacks, as both countries have been observed recently targeting Cisco vulnerabilities. 

Although not confirmed, the researchers believe firewalls and VPNs from other vendors, including Microsoft, are also being targeted. Since the discovery, Cisco has now patched the flaws.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.