Merge pull request #3694 from splunk/IDs

Snort ID updates - Arcane Door

Author: patel-bhavin

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco Secure Firewall - Intrusion Events by Threat Activity
 id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
-version: 3  
-date: '2025-08-21'
+version: 4  
+date: '2025-09-25'
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -16,6 +16,7 @@ description: |
   events that occur in close temporal proximity.
 
   Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:
+  * ArcaneDoor
   * Static Tundra
   * AgentTesla
   * Amadey
@@ -81,6 +82,7 @@ rba:
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics
+    - ArcaneDoor
   asset_type: Network
   security_domain: network
   mitre_attack_id:

lookups/cisco_snort_ids_to_threat_mapping.csv

@@ -1,4 +1,6 @@
 threat,signature_id,category,message
+ArcaneDoor,46897,SERVER-WEBAPP,Cisco Adaptive Security Appliance directory traversal attempt
+ArcaneDoor,65340,SERVER-WEBAPP,TRUFFLEHUNTER SFVRT-1055 attack attempt
 AgentTesla,40238,MALWARE-CNC,Win.Keylogger.AgentTesla variant outbound connection
 AgentTesla,52246,INDICATOR-COMPROMISE,AgentTesla variant outbound connection attempt
 AgentTesla,52612,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection detected

lookups/cisco_snort_ids_to_threat_mapping.yml

@@ -1,6 +1,6 @@
 name: cisco_snort_ids_to_threat_mapping
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: f08ae6ce-d7a8-423e-a778-be7178a719f9
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk Threat Research Team
 lookup_type: csv

lookups/threat_snort_count.csv

@@ -1,4 +1,5 @@
 threat,description,distinct_count_snort_ids
+ArcaneDoor,"ArcaneDoor is a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors, with a particular focus on Cisco Secure Firewall ASA/FTD appliances.",2
 AgentTesla,"AgentTesla is a widely used .NET-based infostealer that exfiltrates credentials, clipboard data, and keystrokes. It often spreads via phishing emails with malicious attachments.",2
 Amadey,"Amadey is a lightweight malware primarily used as a loader for deploying additional payloads. It collects system information and often works alongside other malware like SmokeLoader.",1
 AsyncRAT,"AsyncRAT is an open-source Remote Access Trojan (RAT) used for remote control, keylogging, and credential theft. It's commonly used by both amateurs and cybercriminals due to its ease of deployment.",1

lookups/threat_snort_count.yml

@@ -1,6 +1,6 @@
 name: threat_snort_count
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: 48a35e07-ed5f-42f9-a5da-b7f2ab892e3c
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 lookup_type: csv

stories/arcanedoor.yml

@@ -0,0 +1,29 @@
+name: ArcaneDoor
+id: 7f2b9eac-0df5-4d0c-9e35-2b8fd552c9f1
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+description: Attackers were observed to have exploited multiple zero-day vulnerabilities targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
+narrative: |
+  ArcaneDoor, a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors.
+
+  In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices. Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024. 
+
+  This analytic story is designed to help security teams detect and respond to ArcaneDoor-related activity, including the identification of suspicious behaviors on network edge devices, post-exploitation techniques, and the presence of advanced backdoors.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=bd8313cb47a7ea10f61dfa74116d43d8 
+- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=cf28925747636e10f61dfa74116d43d9 
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve:
+  - CVE-2025-20333
+  - CVE-2025-20362