A sophisticated espionage campaign, ArcaneDoor, initiated by threat actor UAT4356, targeted critical perimeter network devices worldwide, specifically in the telecommunications and energy sectors. This state-sponsored operation, attributed to highly skilled threat actors, exploited two zero-day vulnerabilities in these devices to infiltrate networks, conduct reconnaissance, manipulate configurations, and potentially steal sensitive data.
The timeline of the ArcaneDoor campaign spans several months, with evidence suggesting preparatory activities dating back to mid-2023 and intensified operations in late 2023 and early 2024.
The campaign’s emergence has raised urgent concerns in cybersecurity circles due to its advanced tactics and strategic targeting. It highlights the ongoing challenges posed by nation-state cyber threats, as these devices serve as ideal entry points for espionage-focused campaigns, posing significant security risks to organisations worldwide.
Perimeter network devices are crucial in managing data flow into and out of networks. However, they require regular patching, updated hardware and software configurations, and continuous monitoring to mitigate security threats effectively. Failure to secure these devices can allow threat actors to infiltrate organisations, manipulate network traffic, and monitor communications.
The ArcaneDoor campaign’s significance lies in strategically targeting critical infrastructure entities. These sectors are attractive to foreign governments due to their strategic importance, making them prime targets for espionage activities.
The campaign’s modus operandi involved deploying two backdoors named ‘Line Runner’ and ‘Line Dancer.’ These backdoors facilitated malicious activities such as configuration, modifications, reconnaissance, network traffic capture/exfiltration, and potential lateral movement within targeted networks.
The backdoors provided a platform for lateral movement within compromised networks, allowing threat actors to expand their reach and access sensitive resources.
Researchers have yet to find out the exact initial vector. However, the campaign leverages two critical vulnerabilities, CVE-2024-20353 and CVE-2024-20359, to gain unauthorised access to Cisco Adaptive Security Appliances (ASA).
“As a part of our ongoing investigation, we have also analysed possible attribution of this activity. Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities. For these reasons, we assess with high confidence that a state-sponsored actor performed these actions,” said researchers.
Line Runner acted as a persistent backdoor out of the two backdoors, ensuring continued access and control over the compromised devices. On the other hand, Line Dancer, a memory-only implant, facilitated the execution of arbitrary shellcode payloads and enabled adversaries to conduct malicious actions on target.
Threat actors were able to modify configurations on compromised devices, potentially altering network behaviours to suit their objectives. The campaign included reconnaissance activities, likely aimed at gathering intelligence and mapping network infrastructure for further exploitation.
Actors could capture and exfiltrate network traffic, allowing them to intercept sensitive data and monitor communications clandestinely.
The campaign employed anti-forensics measures to evade detection and hinder forensic analysis. Deliberate evasion of traditional AAA (Authentication, Authorisation, and Accounting) mechanisms allowed actors to bypass normal authentication procedures. Disabling logging during operations prevented the recording of malicious actions, making it harder to trace the attackers’ activities. Line Dancer’s placement in a difficult-to-reach memory region and its manipulation of core dump functions aimed to release forensic artefacts upon device reboot, erasing traces of compromise.
Line Runner maintained persistence on compromised ASA devices by leveraging legacy capabilities related to VPN client pre-loading.
The campaign exploited the vulnerabilities to trigger device reboots and install Line Runner components, ensuring persistence across system restarts. The backdoors also facilitated command and control capabilities, allowing threat actors to execute commands, retrieve information, and maintain remote access to compromised devices.
HTTP-based Lua backdoors and shellcode payloads enabled stealthy shellcode payload communications and control over compromised assets. Researchers have advised organisations to remain vigilant, implement security patches promptly, adopt multi-factor authentication (MFA), and leverage network telemetry to detect and mitigate threats effectively.
In the News: Proton Mail for Business gets four new features
