Cisco reveals zero-day attacks used by hackers to attack government networks in major threat campaign

Two new Cisco flaws plugged

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Unidentified, sophisticated threat actors, possibly affiliated with nation-states in the East, were found abusing two flaws in CiscoVPNsand firewalls, to dropmalwareused for espionage. Their targets include governments and critical infrastructure networks all around the world.

A report from Cisco Talos as well as a joint security advisory released by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC) outlined the campaign, called the campaign “ArcaneDoor”.

The threat actor, tracked as UAT4356 or STORM-1849, depending who you ask, abused two flaws to deliver the malware: CVE-2024-20353 and CVE-2024-20359, which were found in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.

Line Dancer and Line Runner

The researchers aren’t sure on the initial vector used to deliver the malware, but a safe guess would be either with phishing, or social engineering. In any case, the attackers used the flaws to drop Line Dancer and Line Runner, two pieces of malware with different use cases.

Line Dancer is described as an in-memory implant that can upload and execute arbitrary shellcode payloads. It is capable of a number of things that prevent forensic analysis. Furthermore, it can trick the Authentication, Authorization, and Accounting (AAA) function to allow the threat actors to establish a remote access VPN tunnel.

Line Runner, on the other hand, is described as a persistent web shell that allows the attackers to upload and run arbitrary Lua scripts.

The researchers did not share additional details. The nation-state behind the attacks, the targets, the number of victims, any sensitive data stolen, all these things remain unknown at the time.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In its writeup,The Registerspeculates that it could be either China, or Russia, behind the attacks, as both countries have been observed recently targeting Cisco vulnerabilities.

Although not confirmed, the researchers believe firewalls and VPNs from other vendors, includingMicrosoft, are also being targeted. Since the discovery, Cisco has now patched the flaws.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case