Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure

New data released by Cisco Talos researchers detailed ArcaneDoor, a new espionage-focused campaign that targets perimeter network devices. The use of these devices across critical infrastructure installations, like telecommunications companies and energy sector organizations, has increased dramatically over the last two years. These entities are likely strategic targets of interest to many foreign governments.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors,” Cisco Talos identified in a Wednesday blog post. “Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic, and monitor network communications.”

“As a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity,” the post added. “Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities. For these reasons, we assess with high confidence that these actions were performed by a state-sponsored actor.”

There are several known indicators of compromise of the ArcaneDoor campaign that defenders can look for when assessing whether their ASA device has been compromised as a result of this attack, as outlined earlier in this post. For example, if any gaps in logging or any recent unexpected reboots are observed, this should be treated as ‘suspicious’ activity that warrants further investigation. 

At the beginning of the year, a client raised security concerns about their Cisco Adaptive Security Appliances (ASA) with Cisco Talos and the Product Security Incident Response Team (PSIRT). Together, PSIRT and Talos began an investigation to help the client.

“During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center,” the post identified. “This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor.” 

Additionally, UAT4356 deployed two backdoors as components of this campaign, ‘Line Runner’ and ‘Line Dancer,’ which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement. 

Cisco was initially alerted to suspicious activity on an ASA device in early 2024. The following investigation identified additional victims, all of which involved global government networks. “During the investigation, we identified actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024. Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023,” the post added.  

Cisco has identified two vulnerabilities that were abused in this campaign (CVE-2024-20353 and CVE-2024-20359). Patches for these vulnerabilities are detailed in the Cisco Security Advisories released. “We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog,” it added. 

The researchers determined that the malware implant has a couple of key components. The first is a memory-only implant, called ‘Line Dancer.’ This implant is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads.  

“On a compromised ASA, the attackers submit shellcode via the host-scan-reply field, which is then parsed by the Line Dancer implant. Note that the use of this field does not indicate the exploitation of CVE-2018-0101 which was NOT used as a component of this campaign,” the post added. “The host-scan-reply field, typically used in later parts of the SSL VPN session establishment process, is processed by ASA devices configured for SSL VPN, IPsec IKEv2 VPN with ‘client-services’ or HTTPS management access.” 

Additionally, the actor overrides the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This allows the actor to use POST requests to interact with the device without having to authenticate and interact directly through any traditional management interfaces. 

Line Dancer is used to execute commands on the compromised device. During our investigation, Talos was able to observe the threat actors using the Line Dancer malware implant to disable syslog; run and exfiltrate the command show configuration; create and exfiltrate packet captures; and execute CLI commands present in shellcode; this includes configuration mode commands and the ability to save them to memory (write mem). 

It will also hook the crash dump process, which forces the device to skip the crash dump generation and jump directly to a device reboot. This is designed to evade forensic analysis, as the crash dump would contain evidence of compromise and provide additional forensic details to investigators. 

The post also identified that it will hook the AAA (Authentication, Authorization and Accounting) function to allow for a magic number authentication capability. “When the attacker attempts to connect to the device using this magic number, they are able to establish a remote access VPN tunnel bypassing the configured AAA mechanisms. As an alternate form of access, a P12 blob is generated along with an associated certificate and exfiltrated to the actor along with a certificate-based tunnel configuration,” it added.

The researchers said that UAT4356 took clear and deliberate steps to attempt to prevent forensic capture of malicious artifacts. This tradecraft suggests a thorough understanding of the ASA itself and of the forensic actions commonly performed by Cisco for network device integrity validation. 

Additional steps were taken on a case-by-case basis to hide actions being taken on the device. These steps included hooking the AAA function of the device to allow the actor to bypass normal AAA operations. We also identified some instances where UAT4356 disabled logging to perform operations on or from the ASA and did not have those operations or actions logged.

The Talos post said that the Line Dancer appears to have been intentionally placed into a difficult-to-reach region of memory. In addition, it hooks into functions such as the core dump function, which is commonly used to collect information for debugging and forensic purposes, which were made in memory such that this function simply jumped to a reboot. This means that on reboot, Line Dancer itself would no longer be present and none of the collections present in the core dump function would have been executed, resulting in a complete loss of debug information and memory-based forensic artifacts. 

Cisco acknowledged the Australian Cyber Security Centre of the Australian Signals Directorate; Black Lotus Labs at Lumen Technologies; the U.K. National Cyber Security Centre (NCSC); Microsoft Threat Intelligence Center; and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) for their support of the investigation on the ArcaneDoor campaign. 

Last September, Cisco Talos identified that its researchers recently discovered a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, Cisco Talos researchers assess with high confidence that both implants belong to a new intrusion set that it is calling ‘ShroudedSnooper.’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.