ArcaneDoor – New campaign found targeting network devices

blog.talosintelligence.com

72 points by voisin 15 days ago

> While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359)

So update but probably remain vulnerable - there is no reason to think CISCO has fixed the original vulnerability.

Irrelevant aside: CISCO could have just reported a couple of zero-days they already knew of. Maybe vendors will start stockpiling zero-days ;-P

1oooqooq - 14 days ago

how do you close a door you're required to have open? and how do you notify customers if a fisa order prevents you from doing so?
i wouldn't want to be a network appliance vendor in the usa or cn at this last decade!
- robocat - 14 days ago
  
  They should at least say (unless too revealing) how they are going to determine the initial access vector used in this campaign.
  E.g. say a dedicated team is being financed with $xM.
  E.g. say that they are setting up honeypot devices to capture the initial vector.
  E.g. say that code is having a complete external audit and fuzz.
  I'm not a security expert but if I were a customer I would be pretty dissapointed in the timeline so far and very dissappointed in their respose.
  It looks like the vulnerabilities fixed only prevent the Line Runner malware reinstalling itself on boot. And nothing is done about Line Dancer.
  - 1oooqooq - 14 days ago
    
    what are you on about? they can't do any of those things, by law

_obviously - 14 days ago

This attack is very sophisticated and still the root cause is undiscovered.

mrbluecoat - 14 days ago

This should be the opening statement of that article.
hnthrowaway0328 - 14 days ago

How does one learn to understand these kind of attacks, other than networking and Cisco router OS?
- _obviously - 5 days ago
  
  WireShark would be a good start

buildbot - 15 days ago

It’s interesting how it always the big vendors that seem to suffer attacks like this - is it the more positive angle that simply nobody important uses stuff like opnsense? Or more negatively, not enough people paying attention to catch these attacks?

er4hn - 15 days ago

If this were to happen to an OSS product it would likely get a CVE, but it's less likely to get a report on the controller's behind this and a well written page with pretty graphics unless a security researcher wanted to bolster their credentials.
Cisco has enough money to fund their own security company which lets them also investigate issues and issue statements of the form: We are so significant that nation-states target our equipment. We are also so dedicated to security we will write up these reports to show this dedication.
Part of it is it makes them look cool. Part of it is if they don't they risk the govt dragging them through the mud, like CISA did for the MSFT email breach. CISA already releases a lot of alerts on Cisco as it is.
- m000 - 14 days ago
  
  > We are so significant that nation-states target our equipment.
  Maybe if they didn't lobby so hard, they would have been spared and Huawei would have been targeted instead. /s
  > they risk the govt dragging them through the mud
  Lol. Chances are they're probably already in bed with all sorts of 3-letter agencies for things we'll never learn.
hn_version_0023 - 15 days ago

I think its that anyone important has significant money on the line, and hence wants or requires support contracts for their technicians and engineers. That wildly narrows the range of acceptable choices to pretty much just enterprise vendors (IMO), with the result being a greatly reduction attack surface?

GartzenDeHaes - 14 days ago

Might be off topic, but has Cisco ASA improved much in the past four or five years? The one I had years ago was not much use for anything other than basic access rules.

tsujamin - 14 days ago

There’s a whole load more checks for “../“ patterns in the web code since the bugs around 2020 :)
insearchoflost - 14 days ago

No one who cares and has any say in it had been using ASAs for over a decade.

zmgsabst - 14 days ago

Could this kind of attack be used to intercept a WebEx call, say between German generals?

XorNot - 14 days ago

I mean I wouldn't worry about that, just wait for one guy to dial in from an unsecured phone in Singapore[1].
[1] https://www.reuters.com/world/europe/german-minister-says-pa...
- robocat - 14 days ago
  And thus you can blame the individual:
  Pistorius said. "The reason the air force call could nonetheless be recorded was because of an individual's operational mistake."
  No need to blame their security systems/protocols that permitted insecure comms!

ChrisArchitect - 15 days ago

Cisco says hackers subverted its security devices to spy on governments

https://news.ycombinator.com/item?id=40174207

_wire_ - 15 days ago

"espionage-focused campaign found targeting network devices"

Nice copy.

—"multiple vendors" = Cisco and Microsoft... and others

"these devices need to be routinely and promptly patched; using up-to-date hardware"

Contact sales at xxx...

"Cisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature."

—Is this a security bulletin or a prospectus? When is a liability an asset? You decide

"Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns..."

—More fine copy.

"Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat."

—ABC: Always Be Closing!

"This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably..."

—Several = 15

—List of 100s of vectors and effects over years

"As a part of our ongoing investigation, we have also conducted analysis on possible attribution of this activity. Our attribution assessment is based on the victimology..."

—We still don't know what's going on or why. Order now!

—Re Talos: back in 2008 there was a little upset in bank derivatives due to the standards and practices of a little sector of the bond market called The Ratings Agencies.

—In the tech sector Cisco stock rose sharply on HW sales surge after a critical vulnerability in government systems was exposed in existing HW...

THANK YOU THANK YOU I'LL BE HERE ALL WEEK TRY THE VEAL

1oooqooq - 14 days ago

i vote all hn submissions get a summary by ai trained by on comment. then i won't miss /.

hnthrowaway0328 - 14 days ago

> This implant is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads.

This sounds interesting. I'm eager to see some code.

nuker - 14 days ago

All my edge devices would be OpenBSD ones. These Ciscos and Junipers have a bad history of backdoors.