Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Cisco reveals zero-day attacks used by hackers to attack government networks in major threat campaign

A white padlock on a dark digital background.

Unidentified, sophisticated threat actors, possibly affiliated with nation-states in the East, were found abusing two flaws in Cisco VPNs and firewalls, to drop malware used for espionage. Their targets include governments and critical infrastructure networks all around the world.

A report from Cisco Talos as well as a joint security advisory released by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate's Cyber Security Centre, and the UK's National Cyber Security Centre (NCSC) outlined the campaign, called the campaign “ArcaneDoor”.

The threat actor, tracked as UAT4356 or STORM-1849, depending who you ask, abused two flaws to deliver the malware: CVE-2024-20353 and CVE-2024-20359, which were found in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.

Line Dancer and Line Runner

The researchers aren’t sure on the initial vector used to deliver the malware, but a safe guess would be either with phishing, or social engineering. In any case, the attackers used the flaws to drop Line Dancer and Line Runner, two pieces of malware with different use cases. 

Line Dancer is described as an in-memory implant that can upload and execute arbitrary shellcode payloads. It is capable of a number of things that prevent forensic analysis. Furthermore, it can trick the Authentication, Authorization, and Accounting (AAA) function to allow the threat actors to establish a remote access VPN tunnel.

Line Runner, on the other hand, is described as a persistent web shell that allows the attackers to upload and run arbitrary Lua scripts.

The researchers did not share additional details. The nation-state behind the attacks, the targets, the number of victims, any sensitive data stolen, all these things remain unknown at the time. 

In its writeup, The Register speculates that it could be either China, or Russia, behind the attacks, as both countries have been observed recently targeting Cisco vulnerabilities. 

Although not confirmed, the researchers believe firewalls and VPNs from other vendors, including Microsoft, are also being targeted. Since the discovery, Cisco has now patched the flaws.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.