Aliases
UAT4356
Tags
State-SponsoredData Exfil.
Attribution
🇨🇳
Incidents
ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0dayRenewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
References
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
Last edited
Oct 14, 2024 1:57 PM
Status
Finalized
Cloud-fluent
Unique Tools
Line DancerLine Runner
Targeted industries
Government
UAT4356, or STORM-1849, is a state-sponsored threat actor known for targeting government networks worldwide through a campaign called ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants named "Line Runner" and "Line Dancer." Demonstrating an in-depth understanding of Cisco systems, UAT4356 employed anti-forensic techniques and took deliberate measures to evade detection. Their sophisticated attack chain enabled them to perform malicious activities such as modifying configurations, conducting reconnaissance, capturing and exfiltrating network traffic, and potentially moving laterally across compromised devices.