virus logo Threat Signal Report

ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359)

Description

What is the Attack? Cisco issued an advisory on 24th April, regarding its Adaptive Security Appliances, multifunctional devices combining firewall, VPN, and other security functions. It reported that these appliances had become the focus of state-sponsored espionage, with attackers exploiting two previously unknown vulnerabilities to infiltrate government entities worldwide. In this campaign, two backdoors were deployed: "Line Runner" and "Line Dancer." These backdoors operated in tandem to execute various malicious activities on the target systems, encompassing configuration alterations, reconnaissance, capturing/exfiltrating network traffic, and potentially facilitating lateral movement.
What is the recommended Mitigation? According to Cisco's advisory, the initial attack vector remains unidentified, two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have been pinpointed. Customers are strongly urged to adhere to the instructions outlined in the security advisories provided. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
What FortiGuard Coverage is available? FortiGuard Labs has blocked all the known Indicators of compromise (IoCs) related to this campaign as listed on Cisco's advisory and is currently investigating for further protections. Meanwhile, FortiGuard Labs recommends users apply patches as provided by Cisco's Product Security Incident Response Team (PSIRT).

Appendix

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices (talosintelligence.com)
Cisco Event Response: Attacks Against Cisco Firewall Platforms


Date Apr 24, 2024
CVE ID CVE-2024-20353
CVE-2024-20359
Threat/
Vulnerability		 Threat
Threat Actor Type Espionage
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services