New Espionage Campaign Exploits Vulnerabilities in Cisco ASA Devices

What We Know

Recently, an espionage campaign, dubbed ArcaneDoor, targeted vulnerabilities in Cisco ASA devices. This report delves into the sophisticated espionage tactics employed by state-sponsored actors, detailing their methods, assessing the impacts of security breaches, and offering actionable intelligence to mitigate associated risks. The adversaries demonstrated advanced capabilities, suggesting significant resources, but there are no indications of preparations for disruptive or destructive actions at this stage.

In early 2024, a sophisticated state-sponsored adversary, identified as UAT4356 by Talos and STORM-1849 by Microsoft, initiated the ArcaneDoor espionage campaign targeting network perimeter devices. The campaign leveraged CVE-2024-20359 and CVE-2024-20353 in Cisco ASA devices (series ASA55xx) with firmware versions 9.12 and 9.14 to deploy two backdoors, Line Dancer and Line Runner, enabling unauthorized access, data exfiltration, and persistent device control. 

The breach of such critical devices can lead to severe consequences, including loss of sensitive data, unauthorized network access, operational disruptions, and significant reputational harm. Given these devices’ foundational role in organizational security, their compromise can have cascading effects, further enabling malicious activities within networks.

Immediate actions are essential to prevent extensive security breaches. Organizations using vulnerable Cisco ASA devices must swiftly apply the latest patches, enhance traffic monitoring, review security practices comprehensively, and adopt a multi-layered defense strategy.

Insights & Determinations

• Line Dancer, an in-memory loader and data stager using Lua scripting, and Line Runner, a Lua-based webshell and data exfiltrator, showcase advanced techniques for evading detection and maintaining persistence. This dual-tool strategy exemplifies high technical sophistication and highlights the critical need for continuous and dynamic security assessments.
• The deliberate targeting of Cisco ASA devices reflects a strategic effort to infiltrate high-value networks for espionage, likely driven by state-sponsored actors. This targeting aims to collect intelligence that could impact national security or economic stability.
• The compromise of network perimeter devices poses risks beyond immediate data loss. It could potentially enable adversaries to launch more sophisticated future attacks and gain strategic advantages, such as access to trade secrets. This situation emphasizes the need for a comprehensive security strategy that addresses immediate and long-term threats.
• Organizations should enhance their security postures beyond just applying patches by implementing advanced behavioral analytics to detect nuanced threats and regularly updating incident response strategies to counter evolving adversary tactics. Cultivating a culture of cybersecurity awareness and proactive defenses across all levels of the organization is crucial for mitigating initial compromises and adapting to the dynamic cyber threat landscape.

What We Don’t Know 

Intelligence for this analysis comes from the Canadian Centre for Cyber Security and Cisco Talos. While we strive to verify these sources through additional open-source research and internal data analysis, some intelligence gaps remain. Notably, the initial access vectors, the full extent of the campaign, and precise data exfiltration details are still under investigation. These gaps limit our understanding of the campaign’s breadth and the adversaries’ entry methods, vital for developing robust defensive measures. If you have questions or feedback about this intelligence, you can submit them here.

Actions & Recommendations

First, organizations are encouraged to update to the latest patch versions, which contain the relevant fixes associated with this activity and other updates available for the device. These patches are available for download from Cisco’s website, which requires a valid Cisco account and an active Cisco support contract for ASA devices. As of 25 April, the most recent versions available are 9.16.4.57, 9.18.4.22, and 9.20.2.10.

Secondly, organizations should monitor and block known computed and atomic indicators (available at the end of this report and here and here) associated with this campaign. However, while monitoring and blocking known indicators of compromise related to these campaigns is valid, it’s crucial to recognize that adversaries can easily modify their computed and atomic indicators.  

Therefore, a dynamic approach to security that incorporates behavioral analysis and anomaly detection is recommended to complement signature-based defenses. To effectively mitigate the techniques employed in the spear-phishing and malvertising campaigns identified, organizations should implement a robust and multifaceted cybersecurity strategy that addresses both immediate and long-term security challenges:

• As of 30 September 2019, Cisco has discontinued support for WebVPN. If still in use, organizations are encouraged to plan on the migration of remote access connectivity to a supported technology.
• Organizations are encouraged to enable ‘informational’ logging on all Cisco ASA devices.
• Disable or restrict internal unencrypted traffic through gateway devices, including Server Message Block (SMB) traffic. SMB 3.0 or higher can be configured to use encryption. Earlier versions of SMB should not be used.
• Enable robust SNMPv3 access and deprecate SNMPv2.
• Accounts and credentials used on edge devices and integrated into internal systems, such as Active Directory, could be compromised by adversaries. These shared accounts should have the minimum necessary privileges to reduce an adversary’s ability to compromise other services. These accounts should be closely monitored to identify any deviations from expected behavior.
• Enforce Internet Protocol Security (IPsec) rather than Secure Socket Layer/Transport Layer Security (SSL/TLS) for VPN connectivity. Organizations should consider configuring all services to block public access to the SSL components of the ASA device.
• If Secure Socket Layer/Transport Layer Security (SSL/TLS) for VPN or other external facing services such as Secure Shell (SSH) are required, organizations should use the latest secure protocols with recommended cipher suites and hardening recommendations provided by the Cyber Centre through ITSP.40.062.
• Use Access Control Lists (ACLs) to block external access to the VPN device from known malicious IP addresses where feasible. ACLs can also be configured only to permit access from countries from which remote users are expected to connect.

While these measures can significantly enhance an organization’s defensive posture, they should not be solely relied upon. Adversaries constantly evolve their tactics, and therefore, organizations must stay informed about new threats and continuously adapt their security strategies accordingly.

In addition, the Adversary Tactics and Intelligence team has added evaluated observables to our indicator feeds. Additionally, we use this intelligence report to improve our correlation rules and detections and conduct threat hunting. However, due to limitations in log sources received by Deepwatch, not all activity can be monitored.

Threat Hunting Guidance

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

• New patterns in inbound web requests containing arguments (especially from the same source in repetition)
  • GET /+CSCOE+/portal.css?<aaa>=<token>&<bbb>=<lua_script>
  • POST /CSCOSSLC/config-auth HTTP/1.1
    • <host-scan-reply>[base64-encoded payloads]</host-scan-reply>
• Changes in the consistency and/or availability of syslog data from impacted appliances
• Anomalous occurrences of the following event ID’s
  • ASA-4-106103 access-list acl_ID denied protocol for user username
  • ASA-4-109027 [aaa protocol] Unable to decipher response message
  • ASA-4-113019 Session disconnected.
  • ASA-4-315009 SSH: connection timed out
  • ASA-4-717037 Tunnel group search using certificate maps failed for peer certificate
  • ASA-4-722041 No IPv6 address available for SVC connection
  • ASA-4-768003 SSH: connection timed out
  • ASA-5-111001  Begin configuration: IP_address writing to device
  • ASA-5-111003 IP_address Erase configuration
  • ASA-5-111008 User user executed the command string
  • ASA-5-212009 Configuration request for SNMP group groupname failed.
  • ASA-5-718072 Becoming master of Load Balancing in context
  • ASA-5-734002 Connection terminated by the following DAP records
  • ASA-5-8300006 Cluster topology change detected. VPN session redistribution aborted
  • ASA-6-113015  AAA user authentication Rejected
  • ASA-7-734003 DAP: User name, Addr ipaddr: Session Attribute: attr name/value
• Rare/unauthorized presence of new files matching the Lua regular expression “^client_bundle[%w_-]*%.zip$” (CVE-2024-20359)
• Organizations can issue the command show memory region | include lina to identify if more than one executable memory region (memory regions having r-xp permissions) exists. If the output indicates more than one region exists, especially if one is exactly 0x1000 bytes, it indicates potential tampering. Examples are shown here (note: the top portion of the image shows a compromised device and the bottom shows an uncompromised device).

Threat Analysis

The initial access vector is unknown at this time. Furthermore, there is no evidence of pre-authentication exploitation to date. 

LINE DANCER (In-Memory Loader)

LINE DANCER is a persistent Lua-based shellcode loader, which is a component of a larger framework. This shellcode loader would process malicious payloads that execute system commands. LINE DANCER offers the ability to run shellcode payloads — these are base64-decoded and only run when prepended by a fixed 32-byte value, which differs between victims. 

On a compromised ASA, the adversaries submitted shellcode via the host-scan-reply field in an HTTP request, which Line Dancer parses. ASA devices configured for SSL VPN, IPsec IKEv2 VPN with “client-services,” or HTTPS management access process this host-scan-reply field, typically used later in the SSL VPN session establishment process. The adversary overrode the pointer to the default host-scan-reply code to instead point to the Line Dancer shellcode interpreter. This override allowed the adversary to use POST requests to interact with the device without having to authenticate and interact directly through traditional management interfaces. 

Example HTTP POST Request to Cisco ASA WebVPN / AnyConnect URIs: 

POST /CSCOSSLC/config-auth HTTP/1.1
…
<host-scan-reply>[base64-encoded payloads]</host-scan-reply>

It appears the adversary intentionally placed Line Dancer into a difficult-to-reach memory region. It also hooks into functions such as the core dump function, which is commonly used to collect information for debugging and forensic purposes. This function was made in memory so that it simply jumped to a reboot. 

Analyst Note: This means that on reboot, Line Dancer itself would no longer be present, and none of the collections present in the core dump function would have been executed, resulting in a complete loss of debug information and memory-based forensic artifacts.

LINE RUNNER

LINE RUNNER, a Lua-based webshell, enabled the adversaries to maintain persistence. The adversaries leveraged vulnerabilities to force the devices to reboot (CVE-2024-20353) and execute a Lua script (CVE-2024-20359). The adversary was able to leverage these vulnerabilities to cause the target ASA device to reboot, triggering the unzipping and installation of Line Runner.

The adversary leveraged CVE-2024-20359 to drop a ZIP file and execute its contents. At boot, the ASA is designed to look for the presence of a file on disk0: matching a specific Lua regular expression (^client_bundle[%w_-]*%.zip$). If the file exists, it will unzip it and execute the script csco_config.lua. Once processed, the ZIP file is deleted. In at least one case, the adversary leveraged CVE-2024-20353 to force the device to reboot. 

The adversaries ZIP file contained the following files:

• csco_config.lua
• csco_config2.lua
• client_bundle_install/plugin/rdp.jar
• client_bundle_install/test/stgvdr.txt 
• client_bundle_install/test/index.txt
• client_bundle_install/test/hash.txt
• client_bundle_install/test/umtfc.txt
• client_bundle_install/test/laecsnw.txt

Analyst Note: A detailed breakdown of what each file does is available here.

The scripts in the ZIP file allowed the adversary to maintain a persistent HTTP-based Lua backdoor to the ASA, which survives across reboots and upgrades. The adversary used Line Runner to retrieve information that the adversaries staged using Line Dancer.

The adversary took clear and deliberate steps to attempt to prevent forensic capture of malicious artifacts. This tradecraft suggests a thorough understanding of the ASA and the forensic actions commonly performed for network device integrity validation. Additional steps were taken on a case-by-case basis to hide actions being taken on the device. These steps included hooking the device’s AAA (Authentication, Authorization, and Accounting) function to allow the adversary to bypass normal AAA operations. In some instances, the adversary disabled logging to perform operations on or from the ASA to prevent the logging of those operations.  

Additionally, LINE RUNNER can run arbitrary Lua code sent via HTTP GET requests to legitimate Cisco ASA WebVPN / AnyConnect URIs (example below). 

GET /+CSCOE+/portal.css?<aaa>=<token>&<bbb>=<lua_script>

Where:

• <aaa> is a randomized query parameter key name.
• <token> is a randomized value, checked by the webshell (i.e., auth)
• <bbb> is a randomized query parameter key name.
• <lua_script> is the URL Encoded Lua command to execute.

Analyst Note: Randomized query parameters prevent mass scanning of potentially impacted ASAs. It is suspected that the values in the GET requests are victim specific, but this has yet to be confirmed.

It is suspected that Line Runer may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor or where an impacted ASA has not yet received full operational attention from the malicious actors). As such, any previous detection work for Line Dancer with negative findings does not imply that Line Runner is not present.

Risk & Impact Assessment

The sophistication demonstrated by the adversary’s use of multiple layers of novel techniques and the concurrent operations against numerous targets worldwide is cause for concern. Since VPN services are essential components of computer network security, vulnerabilities in such services are particularly consequential, and public disclosure of critical vulnerabilities can enable their use by various adversaries. 

However, determining the likelihood of specific organizations being targeted by the ArcaneDoor campaign, particularly those utilizing vulnerable Cisco ASA devices, remains challenging. This assessment reflects the limited available data concerning the scope of the adversaries’ targeting and the undisclosed extent of their activities. However, the potential for being targeted cannot be discounted entirely due to the nature of the vulnerabilities and the devices’ widespread use. Thus, a conservative approach to security, emphasizing preparedness and vigilance, is advisable. 

Organizations should remain alert to the possibility of being targeted, recognizing that sophisticated adversaries could exploit such vulnerabilities with severe implications. Therefore, we emphasize the need to patch devices quickly and have a comprehensive defense-in-depth strategy, such as applying the recommendations in this report. This approach addresses the risks the ArcaneDoor campaign poses and enhances resilience against a broad spectrum of potential cyber threats.

The impact of this campaign on affected organizations could be severe. Successful exploitation of network perimeter devices can lead to the loss of sensitive data, unauthorized access to internal networks, and potential lateral movement within the infrastructure. The operational impact includes disruption of critical network services, degradation of system performance, and the potential for extended downtime while addressing the breach. 

Financially, organizations may face significant expenditures on incident response, recovery operations, legal fees, and compliance penalties. Additionally, the breach of trust and confidence among stakeholders, customers, and partners can lead to long-lasting reputational damage. Strategic consequences include the erosion of competitive advantages and increased susceptibility to future cyber threats. Ensuring robust security measures and rapid response capabilities is crucial for mitigating these risks and safeguarding against the evolving threat landscape.

Outlook

The ArcaneDoor campaign underscores a persistent threat to network perimeter security. In the immediate aftermath of public disclosure, we anticipate a surge in exploitation attempts as adversaries rush to capitalize on unpatched vulnerabilities before organizations can fortify their defenses. This heightened activity is likely to target primarily aging infrastructure, where patching cycles may lag behind the pace of emerging threats.

However, the disclosure is unlikely to constrain adversaries to their current tactics. Instead, we foresee a strategic pivot towards more sophisticated and evasive methodologies. As adversaries seek to evade detection and overcome enhanced security measures, the future of network device exploitation will likely manifest in stealthier and more complex post-compromise techniques.

This campaign is a stark reminder of the perpetual arms race between defenders and threat actors in cyberspace. By embracing a proactive and adaptive approach to cybersecurity, organizations can safeguard their critical assets and mitigate the evolving risks posed by sophisticated network device attacks.

Summary of Analytical Findings

Several key insights have emerged from our analysis of the ArcaneDoor campaign, shedding light on the tactics, techniques, and procedures employed by sophisticated threat actors targeting network perimeter devices. The campaign’s utilization of bespoke tooling, including the Line Dancer and Line Runner backdoors, showcases a high level of operational sophistication and resource investment. Moreover, the deliberate efforts to obscure forensic evidence and evade detection underscore the adversary’s strategic acumen and understanding of network device security.

These findings contribute to a broader understanding of the evolving global threat landscape. The campaign underscores the critical importance of securing network perimeter devices, which serve as the first line of defense against external threats.

The campaign has far-reaching implications for industry best practices, policy-making, and future cybersecurity strategies. Firstly, organizations must recognize the urgency of patching vulnerable network infrastructure to mitigate the risk of exploitation. Additionally, the campaign underscores the need for enhanced threat detection and response capabilities to identify and neutralize sophisticated adversaries before they can inflict damage.

The campaign underscores the need for a proactive and adaptive approach to cybersecurity. By leveraging these insights to inform strategic decision-making and operational practices, organizations can enhance their resilience against evolving threats and safeguard their digital assets in an increasingly hostile cyber landscape.

Relevant Detections

Observables

The following malicious IP addresses were observed targeting networks. The Canadian Cyber Security Centre considers these IP addresses as high confidence indicators of malicious activity and organizations should check historical network logs, specifically for large volumes of data being transferred. Notably, if logs show traffic between December 2023 and February 2024.

• 185.244.210[.]65
• 5.183.95[.]95
• 213.156.138[.]77
• 45.77.54[.]14
• 45.77.52[.]253
• 45.63.119[.]131
• 194.32.78[.]183
• 185.244.210[.]120
• 216.238.81[.]149
• 216.238.85[.]220
• 216.238.74[.]95
• 45.128.134[.]189
• 176.31.18[.]153
• 216.238.72[.]201
• 216.238.71[.]49
• 216.238.66[.]251
• 216.238.86[.]24
• 216.238.75[.]155
• 154.39.142[.]47
• 139.162.135[.]12

The following IP addresses were identified by Cisco Talos. Please note that we have removed indicators that were also listed by the Canadian Cyber Security Centre. Furthermore, Cisco states that some of the following IP addresses are publicly known anonymization infrastructure and are not directly adversary controlled.

Likely Adversary-Controlled Infrastructure: 

• 45.86.163[.]224
• 51.15.145[.]37
• 89.44.198[.]189
• 89.44.198[.]196
• 103.114.200[.]230
• 121.227.168[.]69
• 131.196.252[.]148
• 172.105.90[.]154
• 172.105.94[.]93
• 185.167.60[.]85
• 185.227.111[.]17
• 185.244.210[.]120
• 185.244.210[.]65
• 192.36.57[.]181
• 194.4.49[.]6
• 212.193.2[.]48
• 213.156.138[.]68
• 213.156.138[.]77
• 213.156.138[.]78
• 216.238.75[.]155  

Multi-Tenant Infrastructure: 

• 5.183.95[.]95 
• 45.63.119[.]131 
• 45.76.118[.]87 
• 45.77.54[.]14 
• 45.86.163[.]244 
• 45.128.134[.]189    
• 89.44.198[.]16 
• 96.44.159[.]46 
• 103.20.222[.]218 
• 103.27.132[.]69 
• 103.51.140[.]101 
• 103.119.3[.]230 
• 103.125.218[.]198 
• 104.156.232[.]22 
• 107.148.19[.]88 
• 107.172.16[.]208 
• 107.173.140[.]111 
• 121.37.174[.]139 
• 139.162.135[.]12 
• 149.28.166[.]244 
• 152.70.83[.]47 
• 154.22.235[.]13 
• 154.22.235[.]17 
• 154.39.142[.]47  
• 172.233.245[.]241 
• 185.123.101[.]250 
• 192.210.137[.]35  
• 194.32.78[.]183 
• 205.234.232[.]196  
• 207.148.74[.]250 
• 216.155.157[.]136 
• 216.238.66[.]251 
• 216.238.71[.]49 
• 216.238.72[.]201 
• 216.238.74[.]95 
• 216.238.81[.]149 
• 216.238.85[.]220 
• 216.238.86[.]24 

Source Material

Canadian Centre for Cyber Security

Cisco Talos

↑