#arcanedoor — Public Fediverse posts on home.social

Analyst207 @[email protected] · 2026-04-24 · 20:41 UTC

Firestarter Malware Evades Cisco Firewall Updates, Persists Across Reboots

A custom backdoor called Firestarter has been discovered evading Cisco firewall updates and persisting across reboots, posing a significant threat to cybersecurity. This sophisticated malware is attributed to a threat actor linked to cyberespionage campaigns, including the notorious ArcaneDoor operation.

https://osintsights.com/firestarter-malware-evades-cisco-firewall-updates-persists-across-reboots?utm_source=mastodon&utm_medium=social

#FirestarterMalware #CiscoFirewall #Uat4356 #Arcanedoor #Cyberespionage

#firestartermalware #ciscofirewall #uat4356 #arcanedoor #cyberespionage

Hackread.com @[email protected] · 2025-11-14 · 17:58 UTC

🚨 The Cybersecurity and Infrastructure Security Agency (#CISA) has flagged active attacks exploiting two critical flaws in #Cisco ASA and Firepower devices (CVE-2025-20362 + CVE-2025-20333) used in the #ArcaneDoor campaign.

Read: https://hackread.com/cisa-attacks-cisco-asa-firepower-flaws/

#CyberSecurity #Vulnerability #Infosec #Firepower

#cisa #cisco #arcanedoor #cybersecurity #vulnerability #infosec

deltatux :donor: @[email protected] · 2024-04-25 · 13:48 UTC

The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.

As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.

www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353

#infosec #cybersecurity #linedancer #linerunner #arcanedoor #cisco

⠠⠵ avuko @[email protected] · 2024-04-24 · 20:59 UTC

So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:

DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)

"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."

This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.

What you should do is (I'll quote):

Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support diagnostic-cli command.
Use the enable command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.
Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.

Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.

I will repeat (without shouting this time):

Patching is not a fix!

"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."

There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.

#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity

Final question for anyone still reading: why the debug menu memory 8? What does it do?

#arcanedoor #linedancer #cve_2024_20358 #cve_2024_20359 #cve_2024_20353 #infosec