Cisco Zero-Days Exploited in State-Sponsored Breach

Network security measures such as firewalls are designed to safeguard corporate networks from breaches. However, it turns out that cybercriminals are increasingly turning these systems against their owners, using them as springboards to infiltrate vulnerable networks.

On Wednesday, Cisco warned that its Adaptive Security Appliances, which integrate firewalls, VPNs, and other security components, had been compromised by a hacker group linked to a hostile nation-state. The attackers exploited two previously unknown vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco’s products to gain access to governmental facilities in various countries worldwide. This cyberattack has been dubbed ArcaneDoor.

The hacker group, referred to by Talos cybersecurity division as UAT4356 and by Microsoft investigators as STORM-1849, had not been associated with any known incident before. However, given their professionalism and focus on cyber espionage, Cisco concludes that they are likely state-sponsored.

According to specialists, the malicious activity began in November 2023 but peaked in December-January 2024 when the first victim was identified. “Further investigation revealed other instances of hacking, all involving governmental networks in different countries,” the report states.

The first backdoor, named Line Dancer, allowed the injection of malicious code into the memory of network firewalls, enabling commands to be executed on these systems, intercept network traffic, and steal confidential data. The second backdoor, Line Runner, ensured continued access even after the reboot or update of compromised devices.

Cisco itself does not name the country involved in the attacks. However, informed sources report that this campaign appears to serve the interests of China.

To address the identified vulnerabilities, Cisco has released corresponding updates and recommends that clients install them as soon as possible. The manufacturer also offers a set of measures to detect possible traces of hacking. Meanwhile, the UK National Cyber Security Centre notes that physically disconnecting ASA devices from power can limit hackers’ access to the system despite their typical deployment of the Line Runner mechanism to maintain presence.

Experts sound the alarm – over the past two years, they have observed a sharp and steady increase in attacks on perimeter cybersecurity systems in critical sectors such as telecommunications and energy. Infiltration into such infrastructure represents a serious interest for many aggressive states.

This alarming trend of attacks on frontier network systems has reached such significant proportions that analysts from Mandiant, part of Google, highlighted it in their annual M-Trends report on cyber threats. The document specifically mentions vulnerabilities in products from Barracuda and Ivanti that were widely exploited by hackers last year.