Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
The Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an espionage campaign called ArcaneDoor.
What is ArcaneDoor?
ArcaneDoor is the name given to an espionage-focused campaign disclosed by researchers at Cisco Talos on April 24. The campaign involves a reported state-sponsored actor who has been targeting vulnerable network devices including Cisco’s Adaptive Security Appliances (ASA). The campaign included the exploitation of at least two zero-day vulnerabilities.
What are the vulnerabilities associated with ArcaneDoor?
As of April 25, the following vulnerabilities are attributed to the ArcaneDoor campaign:
CVE | Description | CVSSv3 |
---|---|---|
CVE-2024-20353 | Cisco ASA and Firepower Threat Defense (FTD) Software Web Services Denial of Service Vulnerability | 8.6 |
CVE-2024-20359 | Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability | 6.0 |
Who is the group behind ArcaneDoor?
The group has been labeled UAT4356 by Cisco and STORM-1849 by Microsoft. Cisco attributes this activity with “high confidence” to a state-sponsored actor, though it is unconfirmed which state the group is associated with.
What is the initial access vector for ArcaneDoor?
As of April 25, the initial access vector for the ArcaneDoor campaign is unknown. The investigation into ArcaneDoor is ongoing. We will update this blog post once additional information becomes available.
When did the ArcaneDoor campaign begin?
Cisco says UAT4356 began the development and testing phase for this campaign back in July 2023, setting up the infrastructure for the campaign in November 2023. However, malicious activity associated with ArcaneDoor occurred between December 2023 and early January 2024.
Is any malware associated with ArcaneDoor?
Yes, it appears that UAT4356 deployed two types of malware in the ArcaneDoor campaign:
For analysis of Line Dancer and Line Runner, please refer to the Cisco Talos blog post.
Are there any other good sources of information about ArcaneDoor?
Yes, the Canadian Centre for Cyber Security (Cyber Centre) published an article providing additional insights into the malicious activity associated with ArcaneDoor. In it, the Cyber Centre says that Cisco ASA series ASA55xx running firmware versions 9.12 and 9.14 have been targeted by malicious actors that “established unauthorized access through WebVPN sessions,” which are “commonly associated with Clientless SSLVPN services.”
Are patches available for the vulnerabilities associated with ArcaneDoor?
Yes, Cisco released patches for affected versions of ASA and FTD. For more information, refer to the individual advisory pages for CVE-2024-20353 and CVE-2024-20359.
Cisco published an advisory CVE-2024-20358. Is this CVE associated with ArcaneDoor?
No. While this vulnerability affects the same products and was published alongside the advisories for CVE-2024-20353 and CVE-2024-20359, it was reportedly discovered by Cisco during internal security testing and is not associated with ArcaneDoor.
Are there indicators of compromise (IOCs) associated with ArcaneDoor?
Yes, Cisco published IOCs for ArcaneDoor in its blog post and on GitHub.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
Exposure management for the modern attack surface.
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.