Defending Against ArcaneDoor: How Eclypsium Protects Network Devices

Introduction

In coordination with multiple government agencies, Cisco announced yesterday the discovery of a new backdoor targeting their Adaptive Security Appliances (ASA). The threat actor is new, tracked by Cisco as UAT4356 and STORM-1849 by Microsoft, and leveraged two zero-day vulnerabilities in the campaign dubbed ArcaneDoor. The campaign started in November 2023, predating the recent attacks against Ivanti Connect Secure and Palo Alto Networks PAN-OS but unlike those campaigns, the zero days involved were not used for initial access (according to the analysis available as of this writing). Rather, they were used to install the custom, Lua-based malware and maintain persistent access across device reboots.

Context

The state-sponsored actors, identified as UAT4356 or STORM-1849, exploited these devices as initial intrusion points for espionage. As we have posted about repeatedly, VPN devices and other edge network appliances are prime targets for advanced actors, and while there is no attribution provided in the case of ArcaneDoor, Chinese groups are proving particularly adept at finding zero-day vulnerabilities in these products. “In the past year [2023] alone, Mandiant has investigated several high-profile cases of suspected Chinese espionage operations leveraging zero-day and n-day vulnerabilities to target systems where visibility has been difficult to instrument,” Mandiant wrote in its M-Trends report published on April 23.

This ArcaneDoor campaign uses two backdoors, Line Runner and Line Dancer, to modify configurations, capture network traffic, and potentially conduct lateral movements. Cisco Talos uncovered the campaign after investigating suspicious activities on Cisco ASAs, revealing custom malware used across multiple victims, mainly government networks and of note, four of the “5 eyes” countries are represented in the coordinated response:

• Australian Signals Directorate’s Australian Cyber Security Centre 
• Canadian Centre for Cyber Security
• The UK’s National Cyber Security Centre (NCSC) 
• U.S. Cybersecurity & Infrastructure Security Agency (CISA) 

While the ArcaneDoor campaign is focused on espionage, U.S. FBI Director Christopher Wray has warned that the Chinese state-sponsored group Volt Typhoon has compromised numerous organizations in telecommunications, energy, water and other critical sectors so that they can “physically wreak havoc on our critical infrastructure at a time of its choosing.” “Its plan is to land low blows against civilian infrastructure to try to induce panic,” Wray said in a recent speech.

Implants Used in ArcaneDoor

The most interesting part of this campaign are the implants, because the zero days involved were to facilitate both the loading of the malware and maintaining persistence through reboots. There are two implants, Line Dancer which is the in-memory implant that leverages CVE-2024-20353 to process command & control instructions, and Line Runner which uses CVE-2024-20359 to load the malware during system boot. The advisory from Cisco Talos has an extremely detailed, highly technical explanation of both implants, which we are summarizing below.

Line Dancer

This implant is a memory-resident shellcode interpreter used after the Cisco ASA has already been breached; the initial compromise vector is currently unknown. It facilitates arbitrary shellcode execution by intercepting and repurposing the SSL VPN session’s host-scan-reply field in Cisco Adaptive Security Appliances (ASA). This manipulation allows threat actors to disable syslog, extract configurations, create packet captures, and execute CLI commands without traditional authentication. Additionally, Line Dancer can manipulate crash dumps and authentication systems, significantly hindering forensic analysis and enabling unauthorized remote access. To avoid detection, it modifies the core dump functionality in-memory as an anti-forensics method. If an incident response team triggers a core dump—which normally writes all memory contents to disk for offline analysis – the malware jumps directly to reboot without writing the core file. 

Line Runner

Line Runner exploits a legacy VPN client pre-loading mechanism on Cisco ASA devices, activating at boot from a ZIP file on disk0. It uses a crafted script, csco_config.lua, to install the Line Dancer HTTP-based Lua backdoor that remains through reboots and upgrades. Once executed, “Line Runner” sets up various scripts and modifications to facilitate remote control and avoid detection, resetting the system modifications post-activation to cover its tracks. Most notably, the attackers prepend commands into the /etc/init.d/unmountfs script which is one of the last scripts run before device reboot. These commands copy the malware ZIP file from an administratively inaccessible location to disk0 which is subsequently processed during boot. After the malware has installed itself, it deletes itself from disk to prevent detection.

Crafting malware for network appliances such as Line Dancer and Line Runner is difficult, as vendors restrict direct access to the operating system and file system. Attackers must sustain a resource-intensive development cycle and use advanced technical skills. However, creating these types of custom implants yields pronounced outcomes when attackers can do so. 

Additional Reading on ArcaneDoor

• Cisco Talos: ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
• ArsTechnica: Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks
  U.K. NCSC: TIP Line Runner
• Canadian Centre for Cyber Security: Cyber Activity Impacting CISCO ASA VPNs
• Australian Cyber Security Centre: Exploitation of vulnerabilities affecting Cisco firewall platforms

How Eclypsium Can Help

Eclypsium focuses on protecting IT infrastructure, especially parts that are not covered by EDR. As endpoint security at the OS level improves, attackers are focusing on bypassing those protections by targeting system firmware and the boot process. (Watch this example.) In addition, they are targeting appliances that do not support EDR, especially network devices that must be directly connected to the internet in order to do their job. 

Both nation-state and financially motivated groups are exploiting either known or zero-day vulnerabilities in these appliances to gain initial access, move laterally, and exfiltrate data out of the victim’s environment. Eclypsium has developed EDR-like threat detection capabilities to spot this type of malicious behavior. In addition, we offer vulnerability management capabilities to help harden these appliances. 

In the case of the ArcaneDoor campaign, Eclypsium has added to our platform the ability to not only identify vulnerable Cisco ASA devices, but also to detect compromise with the Line Dancer implant, as shown in the screenshots below. If you would like to learn more about Eclypsium’s capabilities to protect network devices, please request a demo.

Learn More

• White paper: Network Infrastructure on the Front Line
• Webinar: Looking Back to See Ahead, a History of Network Device Threats
• Blog: A New Approach to Defending Network Infrastructure from Ransomware Groups and APTs

Eclypsium detects indicators of compromise, including artifacts for the Line Dancer implant.

Identification of CVE-2024-20353 used in the ArcaneDoor campaign

Identification of CVE-2024-20358 used in the ArcaneDoor campaign

Identification of CVE-2024-20359 used in the ArcaneDoor campaign

The post Defending Against ArcaneDoor: How Eclypsium Protects Network Devices appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Article Link: https://eclypsium.com/blog/defending-against-arcanedoor-how-eclypsium-protects-network-devices/