Concretely, Arcane Door is deployed in two stages. The first phase consists of exploiting two zero-day vulnerabilities (flaws that have not received any known fixes): CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense devices. (FTD),
CVE-2024-20353 is a high severity vulnerability rated on CVSS 8.6. It is located in the management web and VPN servers for Cisco ASA and FTD devices, and allows certain remote commands to be performed on protected devices such as a reset causing a denial of service.
By exploiting the less severe but equally damaging CVE-2024-20359 flaw, which obtains a CVSS score of 6.0, the hacker can execute arbitrary code with root-level privileges provided that he has administrator access.
Once these two flaws have been exploited, the path is clear to inject two malware which will each have a specific role to play in the campaign. The first, Line Dancer, is a memory implant that executes shellcode payloads, disables syslog, executes commands, causes device reboots, escaping analysis. It can also trick the AAA function to allow a connection via a VPN tunnel with magic number authentication. The second, Line Runner, is a persistent web shell. It can download and run Lua scripts, which are like special instructions.
