Skip to content

Commit c93f077

Browse files
patel-bhavinpatel-bhavin
committed
adding a story file
1 parent c707ace commit c93f077

File tree

1 file changed

+29
-0
lines changed

1 file changed

+29
-0
lines changed

stories/arcanedoor.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: ArcaneDoor
2+
id: 7f2b9eac-0df5-4d0c-9e35-2b8fd552c9f1
3+
version: 1
4+
date: '2025-09-23'
5+
author: Bhavin Patel, Micheal Haag, Splunk
6+
status: production
7+
description: Attackers were observed to have exploited multiple zero-day vulnerabilities targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
8+
narrative: |
9+
ArcaneDoor, a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors.
10+
11+
In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices. Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.
12+
13+
This analytic story is designed to help security teams detect and respond to ArcaneDoor-related activity, including the identification of suspicious behaviors on network edge devices, post-exploitation techniques, and the presence of advanced backdoors.
14+
references:
15+
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
16+
- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
17+
- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=bd8313cb47a7ea10f61dfa74116d43d8
18+
- https://ciscovulnmgmtprod.service-now.com/psirt?id=advisory_preview&sysparm_sys_id=cf28925747636e10f61dfa74116d43d9
19+
tags:
20+
category:
21+
- Adversary Tactics
22+
product:
23+
- Splunk Enterprise
24+
- Splunk Enterprise Security
25+
- Splunk Cloud
26+
usecase: Advanced Threat Detection
27+
cve:
28+
- CVE-2025-20333
29+
- CVE-2025-20362

0 commit comments

Comments
 (0)