CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor

Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.

Background

The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an espionage campaign called ArcaneDoor.

FAQ

What is ArcaneDoor?

ArcaneDoor is the name given to an espionage-focused campaign disclosed by researchers at Cisco Talos on April 24. The campaign involves a reported state-sponsored actor who has been targeting vulnerable network devices including Cisco’s Adaptive Security Appliances (ASA). The campaign included the exploitation of at least two zero-day vulnerabilities.

What are the vulnerabilities associated with ArcaneDoor?

As of April 25, the following vulnerabilities are attributed to the ArcaneDoor campaign:

Who is the group behind ArcaneDoor?

The group has been labeled UAT4356 by Cisco and STORM-1849 by Microsoft. Cisco attributes this activity with “high confidence” to a state-sponsored actor, though it is unconfirmed which state the group is associated with.

What is the initial access vector for ArcaneDoor?

As of April 25, the initial access vector for the ArcaneDoor campaign is unknown. The investigation into ArcaneDoor is ongoing. We will update this blog post once additional information becomes available.

When did the ArcaneDoor campaign begin?

Cisco says UAT4356 began the development and testing phase for this campaign back in July 2023, setting up the infrastructure for the campaign in November 2023. However, malicious activity associated with ArcaneDoor occurred between December 2023 and early January 2024.

Is any malware associated with ArcaneDoor?

Yes, it appears that UAT4356 deployed two types of malware in the ArcaneDoor campaign:

• Line Dancer: in-memory malware for executing commands and evading analysis
• Line Runner: backdoor malware to maintain persistence

For analysis of Line Dancer and Line Runner, please refer to the Cisco Talos blog post.

Are there any other good sources of information about ArcaneDoor?

Yes, the Canadian Centre for Cyber Security (Cyber Centre) published an article providing additional insights into the malicious activity associated with ArcaneDoor. In it, the Cyber Centre says that Cisco ASA series ASA55xx running firmware versions 9.12 and 9.14 have been targeted by malicious actors that “established unauthorized access through WebVPN sessions,” which are “commonly associated with Clientless SSLVPN services.”

Are patches available for the vulnerabilities associated with ArcaneDoor?

Yes, Cisco released patches for affected versions of ASA and FTD. For more information, refer to the individual advisory pages for CVE-2024-20353 and CVE-2024-20359.

Cisco published an advisory CVE-2024-20358. Is this CVE associated with ArcaneDoor?

No. While this vulnerability affects the same products and was published alongside the advisories for CVE-2024-20353 and CVE-2024-20359, it was reportedly discovered by Cisco during internal security testing and is not associated with ArcaneDoor.

Are there indicators of compromise (IOCs) associated with ArcaneDoor?

Yes, Cisco published IOCs for ArcaneDoor in its blog post and on GitHub.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.