A state-sponsored threat actor campaign [1] [2] [3] [5] [6], known as ArcaneDoor [1] [9], has targeted Cisco firewall platforms [5], exploiting vulnerabilities and implanting backdoors for malicious activities.


A state-sponsored threat actor campaign [1] [2] [3] [5] [6], known as ArcaneDoor and tracked as UAT4356 by Cisco Talos and STORM-1849 by the Microsoft Threat Intelligence Center [2] [5], has targeted Cisco firewall platforms [5]. Exploiting vulnerabilities CVE-2024-20353 [3] [5] [6] [8] [9], CVE-2024-20359 [2] [3] [4] [5] [6] [7] [8] [9], and CVE-2024-20358 [2] [4] [5] [6] [7] [8] [9], the actor has implanted backdoors named Line Runner and Line Dancer on compromised ASA devices for configuration modification, reconnaissance [5], and network traffic capture/exfiltration [5] [8]. Indicators of compromise include unexpected reboots [4]. This campaign is part of a series of state-sponsored attacks on edge devices [4], with previous warnings about the China-linked BlackTech group and Volt Typhoon targeting Cisco devices [4]. Patches have been released for the vulnerabilities [5], and organizations are advised to promptly upgrade their ASA software and apply available patches [5]. Cisco has issued security updates addressing vulnerabilities in Cisco ASA and FTD software that are actively exploited in the ArcaneDoor campaign [7], including CVE-2024-20353 [7], a denial of service vulnerability [7], CVE-2024-20359 [2] [3] [4] [5] [6] [7] [8] [9], a code execution vulnerability [7], and CVE-2024-20358 [2] [4] [5] [6] [7] [8] [9], a command injection vulnerability [7]. Organizations are urged to review the relevant security advisories and apply the updates promptly [7]. Steps to verify the integrity of ASA and FTD appliances are outlined [7], and compromised organizations should report incidents to the NHS England National CSOC [7]. The campaign began in November 2023 [1], with most intrusions occurring between December and January [1], targeting government networks globally [1] [2] [6]. The hackers’ shift to compromising edge devices like firewalls highlights a broader trend in targeting network perimeter applications to gain access to sensitive networks [1]. The UK’s National Cybersecurity Center notes that physically unplugging an ASA device disrupts the hackers’ access [1], but detecting their presence on the devices is incredibly difficult [1]. Mandiant also highlights the trend of state-sponsored hackers targeting edge devices [1], with Chinese and Russian groups building custom malware for these devices to maintain access to victim networks [1]. China’s cyberspies are particularly adept at discovering and exploiting zero-day vulnerabilities in security appliances [1], with more zero-days expected to be exploited in the future [1]. Affected platforms and remediation steps are detailed [7], with a focus on applying security updates and verifying device integrity [7]. Indicators of compromise (IoCs) for the ArcaneDoor campaign include flows to/from ASA devices to specific IP addresses and memory regions indicating potential tampering [6]. Network administrators can identify and remove the Line Runner backdoor on ASA devices by reviewing disk contents and following specific commands post-patch application [6]. The campaign began development in July 2023 [2], with activity starting in December and patches released in late March/early April [2]. Victims included government networks globally [2] [6], with speculation pointing towards China’s state interests [2]. Chinese threat actors have shown a preference for targeting public-facing security and network appliances [2], aligning with the tactics observed in ArcaneDoor [2]. Organizations targeted in such campaigns face challenges in defending against sophisticated attacks [2], highlighting the importance of timely patching and vigilance in network security [2].


The ArcaneDoor campaign targeting Cisco firewall platforms underscores the need for organizations to promptly apply security updates, verify device integrity [7], and remain vigilant against state-sponsored threat actors. The trend of targeting edge devices for network access poses significant challenges for cybersecurity, emphasizing the importance of proactive defense measures and ongoing monitoring to protect sensitive networks from malicious intrusions.


[1] https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/
[2] https://readme.synack.com/changelog-arcanedoor-campaign-targets-cisco-devices
[3] https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/
[4] https://www.cybersecuritydive.com/news/cisco-network-devices-malicious-backdoors/714283/
[5] https://www.infosecurity-magazine.com/news/stateespionage-campaign-cisco/
[6] https://www.darkreading.com/endpoint-security/cisco-zero-days-arcanedoor-cyberespionage-campaign
[7] https://digital.nhs.uk/cyber-alerts/2024/cc-4483
[8] https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
[9] https://siliconangle.com/2024/04/24/cisco-warns-state-sponsored-cyberattacks-targeting-government-networks/