A threat actor has been observed taking advantage of two zero-day vulnerabilities affecting Cisco networking equipment to plant backdoors on the affected systems.

Dubbed “ArcaneDoor” by Cisco Talos, the malicious activity is likely the work of a highly sophisticated state-sponsored actor, tracked as UAT4356 (aka Storm-1849). The campaign deployed two distinct backdoors, named “Line Runner” and “Line Dancer,” used for various purposes such as configuration manipulation, reconnaissance, network traffic interception, exfiltration, and potentially lateral movement within compromised networks.

Cisco detected the suspicious activity on an ASA (Adaptive Security Appliance) device in early 2024, prompting further investigation that uncovered a sophisticated attack chain, dating back to early November 2023, with most activity taking place between December 2023 and early January 2024. Evidence suggests that the malicious infrastructure was under development and testing as early as July 2023.

The researchers were not able to determine the precise entry point used by the attackers. However, during the analysis, two security vulnerabilities have been identified—CVE-2024-20353 (denial-of-service) and CVE-2024-20359 (code injection)— which the threat actor exploited for infiltration and the malware deployment.

The Line Dancer backdoor, a memory-resident shellcode interpreter, allows adversaries to execute arbitrary commands on compromised devices. Meanwhile, Line Runner ensures persistence within the targeted environment, exploiting legacy capabilities to maintain access and control.