Over the past few weeks, Cisco and Microsoft dropped a joint bombshell: a stealthy state-sponsored campaign called ArcaneDoor that’s been flying under the radar since late 2023. What’s wild is this isn’t your usual endpoint or server compromise — attackers went straight for network edge devices like Cisco’s ASA and FTD firewalls, weaponizing two zero-days to get persistent, covert access.
Let’s break down what you need to know — especially if you’re blue team or doing real-world defense. This campaign is surgical, quiet, and focused on governments — but the tradecraft applies broadly.
🕵️ Threat Actor: UAT4356 / STORM-1849
Cisco calls them UAT4356, Microsoft calls them STORM-1849. Attribution points to a Chinese state-backed APT, and their goal is straight-up espionage — no ransomware, no noisy payloads. Just long-term access to the crown jewels.
🔍 Initial Access: Two Cisco Zero-Days
This is the scary part — they exploited CVE-2024-20353 and CVE-2024-20359, both zero-days at the time:
CVE-2024-20353: High severity (CVSS 8.6), DoS flaw in ASA/FTD — likely abused to destabilize or disable defenses.CVE-2024-20359: Medium severity (CVSS 6.0), allowed code execution and persistence.
These let the attackers gain remote, unauthenticated access to firewall devices — no credentials needed. That’s a huge deal.
💀 Payloads: Custom Implants on the Firewall
Once in, they dropped two custom malware tools built specifically for Cisco gear:
- Line Dancer – in-memory shellcode runner. Doesn’t touch disk. Used to:
- Dump configs
- Capture packets
- Disable syslog
- Trigger reverse VPNs (!)
- Line Runner – persistence implant. Hijacks a legacy VPN feature to survive reboots. Hooks into the device startup sequence using an abused
vpn web-launchmechanism.
These implants effectively gave the attacker root-level persistence on the network perimeter — logging tampered, stealth access ensured.
🎯 Target Profile: Governments
Cisco didn’t name names, but this wasn’t a spray-and-pray. A small number of government organizations across regions were hit — suggesting high-value intelligence targets, probably with geopolitical value.
This wasn’t opportunistic. It was targeted, long-prepped, and likely backed by deep R&D (the implants were being tested as early as mid-2023).
🧩 TTP Summary (MITRE-style):
| Tactic | Technique | Detail |
|---|---|---|
| Initial Access | [T1190] Exploit Public-Facing App | Firewall zero-days used |
| Persistence | [T1547.001] Boot or Logon Autostart | Line Runner modifies device boot behavior |
| Execution | [T1059.002] Command & Script Interpreter: Shellcode | Line Dancer executes custom shellcode |
| Defense Evasion | [T1562.002] Disable Logging | Syslog tampered/disabled during op |
| Exfiltration | [T1048.003] Exfiltration Over Alternative Protocol | VPN tunnels abused for callback |
🧪 IOCs and Detection
Because this runs in memory on network gear, don’t expect EDR to catch it.
Look for:
- Syslog gaps – legit firewalls don’t just stop logging for no reason.
- Unexpected reboots or crashes
- Unknown VPN tunnels
- Strange outbound HTTP/S traffic originating from the firewall
There are no typical hashes/files. This is pure behavioral detection unless you’re memory dumping the device.
🛡️ Mitigations (Actionable Stuff)
- Patch Now: Cisco has released fixed versions of ASA/FTD. Get on
ASA 9.18(4)orFTD 7.3.1or later. - Check for Implants: Cisco’s Support Assistant tool can help validate firmware integrity.
- Export Logs Off-Device: So attackers can’t nuke local syslog and hide.
- Segment Admin Interfaces: Never expose firewall management ports directly to the internet.
- Monitor Firewalls Like Hosts: They’re not just appliances — they’re attack surfaces now.
🧠 Final Thoughts
This campaign is a wake-up call. Firewalls and “network appliances” are now prime targets, and attackers are dropping the same APT-level effort into them as they used to reserve for servers. If your device has firmware, it’s in scope.
Also — the implants here show in-depth Cisco ASA internals knowledge. That’s not commodity stuff. We’re dealing with nation-state engineering, not GitHub copy-paste malware.
If you’re on a blue team, don’t just patch — investigate. And if you’re in a SOC, start alerting on outbound traffic from firewall IPs, missing logs, and VPN oddities. Edge infrastructure is the new soft target — because no one’s watching it.
Cybersecurity blog, by Neil aaron sawit 
Leave a comment