According to the security watchdogs of the United Kingdom, Canada and Australia, unknown state hackers have been behind attacks on Cisco firewalls since November 2023. Through these breaches, the attackers have deployed malware for espionage purposes.
Cisco has now confirmed these infiltrations. In late January, regulators discovered that two Cisco firewall systems, Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), were unknown targets of hacker groups. The criminals mainly targeted Cisco ASA appliances. These devices were vulnerable if they had firmware versions 9.12 and 9.14. Hackers gained access through exploits of three vulnerabilities: CVE-2024-20359, CVE-2024-20358 and CVE-2024-20353.
The attacks targeted VPN services used by governments and global critical infrastructure, say regulators from the UK, Canada, and Australia in a joint statement.
The hackers gained unauthorized access to these devices through WebVPN sessions and clientless SSLVPN services nestled deep into the affected networks.
Malware installation
They installed malicious malware that enabled remote code injection (RCE) on the Cisco appliances. Among other things, this resulted in configuring packet capture sessions to collect data and send it outside.
The malicious files were called “Line Dancer” and “Line Runner.” The first type of malware is an in-memory implant for uploading and executing a variety of shellcode payloads.
The second type of malware is a persistent web shell that allows cybercriminals to establish themselves in attacked networks permanently. They can then upload and execute whatever Lia script they want. The breaches could also potentially enable DoS attacks.
Confirmation from Cisco
Cisco Talos confirms the vulnerabilities, now known as Arcane Door. In doing so, the research team indicates that they showed all the hallmarks of state-sponsored hacking. This is because the hacks focused specifically on espionage, and the hackers involved had in-depth knowledge of the systems under attack. Which countries are behind the attacks has not been disclosed, but obviously, Russia and China are the most suspected.
The first Arcane Door attacks were allegedly carried out as early as November 2023 but were thus not discovered until January of this year. Cisco has since released patches that should eliminate the vulnerabilities. Therefore, the security regulators of various countries are urging companies to install these patches as soon as possible.
Cisco devices and Microsoft devices are said to be affected. Microsoft itself has not yet responded.
Also read: Cisco warns of brute-force attacks on VPN and SSH applications