Skip to main content
close search
site logo
Dive Brief

Cisco devices again targeted by state-linked threat campaign

The campaign, dubbed ArcaneDoor, dates back to late 2023 and is targeting perimeter network devices from Cisco — and potentially other companies.

Published April 25, 2024
David Jones's headshot
Reporter
Hooded hacker sits in front of computer screens.
Hooded hacker sits in front of computer screens. dem10 via Getty Images

Dive Brief:

  • Cisco is warning that state-linked hackers are engaged in an espionage-focused campaign, called ArcaneDoor, targeting perimeter network devices from Cisco and potentially other companies for malicious attacks dating back to late 2023.  
  • The threat actor, which Cisco Talos identifies as UAT4356 and Microsoft tracks as Storm-1849, deployed malicious backdoors against a small group of customers using Cisco devices, Cisco Talos said in a threat advisory. The customers were running Cisco Adaptive Security Appliance software or Cisco Firepower Threat Defense software. 
  • Cisco released patches for the vulnerabilities, listed as CVE-2024-20353, with a CVSS score of 8.6, and CVE-2024-20359, with a CVSS score of 6.0, and is urging customers to immediately update their systems.

Dive Insight:

Cisco Talos said researchers and the company’s product security team were alerted in early 2024 by a customer expressing concerns about security issues related to their Cisco Adaptive Security Appliances. 

The initial investigation linked suspicious activity to a group of government network customers across the globe, Cisco Talos said. The probe identified actor-controlled infrastructure starting in November 2023, however testing and development was traced back to July 2023.

Researchers have not yet figured out initial access points, but they have identified two implants. The first, a memory resident shellcode interpreter called Line Dancer, was used to execute commands on a compromised device. The hackers used a second backdoor, called Line Runner, to maintain persistence. 

Indicators of compromise may include gaps in logs or unexpected reboots, according to the Cisco Talos blog.

Cisco Talos added that information from network telemetry and partners working on the response indicates the threat actors may be interested in targeting network devices from Microsoft and other companies. 

A Cisco spokesperson said after responding to customer concerns, the company identified a total of three previously unknown vulnerabilities. The third vulnerability is listed as CVE-2024-20358, which is considered medium risk. 

The Cybersecurity and Infrastructure Security Agency on Wednesday added the first two CVEs to its Known Exploited Vulnerabilities catalog. The Canadian Centre for Cyber Security issued a joint advisory on the threat with U.K. and Australian officials. 

The campaign marks the latest in a series of suspected state-linked attacks focused on edge devices. A series of high profile campaigns have targeted customers using Ivanti, Citrix and other organizations. Other state linked actors, including Volt Typhoon, have exploited weaknesses in home and small office devices, turning them into botnets. 

U.S. and Japanese authorities previously warned about a China-linked threat group called BlackTech, abusing firmware in Cisco and other routers to launch attacks against companies in those countries. 

Cisco devices were also targeted by Volt Typhoon starting in late 2023, according to research from Security Scorecard.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell