UAT4356 | |
Other Names | STORM-1849 |
Location | Unknown |
Date of initial activity | 2023 |
Suspected attribution | state-sponsored threat group |
Associated Groups | Unknown |
Motivation | Espionage, Data theft |
Associated tools | UAT4356 deploys custom malware implants called "Line Runner" and "Line Dancer." |
Active | Yes |
Overview
UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called “Line Runner” and “Line Dancer.” The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356’s sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.
Common targets
UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor.
Attack Vectors
Vulnerabilities explotation in perimeter network devices from multiple vendors.
How they operate
UAT4356 combined CVE-2024-20353 (a denial-of-service flaw) and CVE-2024-20359 (a persistent local code execution bug) to deploy two previously unknown implants and maintain persistence on ASA and FTD devices. As part of this campaign, UAT4356 introduced two backdoors, “Line Runner” and “Line Dancer,” to carry out malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement.
The Line Dancer implant allows the execution of commands on the compromised device. Threat actors use Line Dancer to disable syslog, run and exfiltrate the command “show configuration,” create and exfiltrate packet captures, and execute CLI commands present in shellcode, including configuration mode commands with the ability to save them to memory (write mem). Line Dancer also hooks the crash dump process to skip crash dump generation and force a device reboot, evading forensic analysis by preventing evidence of compromise from being recorded. Additionally, it hooks the AAA (Authentication, Authorization, and Accounting) function, enabling a magic number authentication capability for remote access VPN tunnel establishment and generating a P12 blob with an associated certificate for alternative access.
To maintain persistence, the threat actor uses a second backdoor called “Line Runner” on the compromised ASA device, leveraging functionality related to a legacy capability for pre-loading VPN clients and plugins. This persistent backdoor ensures the actor’s continued access to the compromised device.
UAT4356 employed sophisticated methods to avoid forensic detection, indicating a deep understanding of the ASA’s inner workings and Cisco’s forensic practices for network device integrity validation. These measures included hooking the AAA function to bypass normal operations, demonstrating the threat actor’s deliberate efforts to hide their activities and maintain control over the compromised devices.
Techniques Used (MITRE)
Line Runner persistence mechanism (T1037),
The reboot action via CVE-2024-20353 (T1653),
Base64 obfuscation (T1140),
Hooking of the processHostScanReply() function (T0874),
Disabling syslog and tampering with AAA (T1562-001),
Injection of code into AAA and Crash Dump processes (T1055)
Execution of CLI commands (T1059),
Bypassing of the AAA mechanism (T1556),
Removal of files after execution (T1070-004),
HTTP interception for C2 communications (T1557),
HTTP C2 (T1071-001),
HTTP C2 one-way backdoor (T1102-003),
Data exfiltration over C2 (T1041),
Network sniffing (T1040)
Significant Attacks
- ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. During an investigation, a previously unknown actor now tracked as UAT4356 was identified. (April 2024)
