Cisco Reveals Hackers Exploited Zero-Day Vulnerabilities to Target Government Networks

Cisco Systems Inc. has disclosed that a suspected nation-state hacking group has been actively exploiting two previously unknown security vulnerabilities in its products to breach government networks worldwide since November 2023. The campaign, dubbed "ArcaneDoor" by Cisco's Talos threat intelligence team, targeted the company's widely-used Adaptive Security Appliance (ASA) firewalls.

According to Cisco, the threat actor, tracked as UAT4356 or STORM-1849, exploited two zero-day vulnerabilities in the ASA software: CVE-2024-20353, which could allow an unauthenticated remote attacker to cause the device to reload unexpectedly, and CVE-2024-20359, which could allow an authenticated local attacker to execute arbitrary code with root-level privileges. By leveraging these flaws, the attackers deployed custom malware implants called "Line Dancer" and "Line Runner" to establish persistent access and conduct espionage activities.

Why this matters: This incident highlights the ongoing threat of sophisticated state-sponsored actors targeting critical network infrastructure to gain unauthorized access to sensitive government data. The exploitation of zero-day vulnerabilities in widely-deployed security appliances underscores the importance of timely patching and robust cybersecurity measures to defend against evolving cyber espionage campaigns.

Cisco strongly recommends that all customers upgrade to the fixed software versions released on April 24, 2024, to address these vulnerabilities. The company also advises organizations to monitor system logs for indicators of compromise, ensure devices are properly configured with strong authentication, and regularly review security best practices. "We've observed a global increase in the number of scans and attempted access to these appliances, suggesting that other threat actors are attempting to exploit these vulnerabilities," Cisco Talos noted in a blog post.

The ArcaneDoor campaign is part of a broader trend of nation-state actors, particularly those aligned with China, targeting network perimeter devices like firewalls and VPNs as initial access points for cyber espionage operations. In March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint advisory warning of Chinese state-sponsored hackers exploiting vulnerabilities in several popular networking devices to compromise major telecommunications companies and network service providers.

Cisco has stated that the ArcaneDoor campaign affected a limited set of customers, primarily involving government networks. However, the company acknowledged that the threat actor's initial access vector remains unknown, suggesting that other vulnerabilities or attack paths may have been used. As the investigation progresses, Cisco urges all organizations to prioritize timely software updates, implement multi-factor authentication, and maintain vigilance against emerging threats to their network infrastructure.

Key Takeaways

• Cisco disclosed two zero-day vulnerabilities in ASA firewalls exploited by nation-state hackers.
• Attackers deployed custom malware to gain persistent access and conduct espionage on government networks.
• Cisco urges customers to patch vulnerabilities and implement robust cybersecurity measures to mitigate risks.
• The campaign is part of a broader trend of nation-state actors targeting network perimeter devices.
• Cisco acknowledged the initial access vector remains unknown, suggesting other vulnerabilities may have been used.