At a glance.
- ArcaneDoor cyberespionage campaign exploited Cisco zero-days.
- Progress Flowmon receives patch for critical flaw.
- US DOJ charges two individuals for alleged cryptocurrency laundering.
ArcaneDoor cyberespionage campaign exploited Cisco zero-days.
Cisco Talos describes a sophisticated cyberespionage campaign by a previously unobserved state-sponsored threat actor that targeted vulnerabilities affecting Cisco Adaptive Security Appliances (ASAs). Beginning in November 2023, the threat actor used two ASA zero-days (CVE-2024-20353 and CVE-2024-20359) to deploy two backdoors dubbed "Line Runner" and "Line Dancer" within government networks around the world. Line Dancer is used to execute commands, while Line Runner allows the threat actor to maintain persistence on a compromised device.
Cisco has issued patches for the two vulnerabilities and urges customers to apply them as soon as possible. The company adds, "[N]etwork telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — network devices from Microsoft and other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA)."
The UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security, and the Australian Signals Directorate's Cyber Security Centre issued a joint advisory on the campaign, stating, "The sophistication demonstrated by the threat actors’ use of multiple layers of novel techniques and the concurrent operations against multiple targets around the world is cause for concern to the authoring agencies. Since VPN services are essential components of computer network security, vulnerabilities in such services are particularly consequential and a public disclosure of critical vulnerabilities can enable their use by a wide variety of threat actors."