Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China

An analysis of IoCs suggests that a Chinese threat group may be behind the recent ArcaneDoor espionage campaign targeting Cisco firewalls.

The recently uncovered cyberespionage campaign named ArcaneDoor, which involves hacked Cisco firewalls, may be the work of a Chinese threat actor, according to threat hunting and attack surface management firm Censys.

Cisco’s threat intelligence and research unit Talos revealed in late April that it had been investigating an espionage campaign involving exploitation of two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) firewall platform.

The company said a previously unknown group tracked as UAT4356 and Storm-1849 had targeted government networks worldwide in a campaign it tracks as ArcaneDoor. 

The initial attack vector has yet to be identified, but Cisco has determined that the attacks involved exploitation of two zero-day vulnerabilities: CVE-2024-20353, which allows DoS attacks, and CVE-2024-20359, which can be used for persistent local code execution.

The attackers implanted custom malware, executed commands, and attempted to exfiltrate data from compromised devices. 

Cisco learned about the attacks in early 2024, but evidence suggests the attackers may have conducted tests as early as July 2023. 

While it shared little attribution information, Talos did say that it’s confident the attacks have been conducted by a state-sponsored threat actor.

Advertisement. Scroll to continue reading.

When the news broke, Wired said it had learned from sources that the attacks appeared aligned with China’s interests. Research conducted by Censys into the indicators of compromise (IoCs) provided by Talos seems to reinforce the theory.

“When we investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators, we discovered compelling data suggesting the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software,” Censys said, pointing out that it’s currently difficult to draw definitive conclusions.

Censys found that four of the five networks hosting systems that present an SSL certificate identified by Talos are based in China.

An investigation of the attacker-controlled IP addresses showed that half of the 22 IPs identified by Talos are still online, indicating ongoing activity. 

Further analysis led Censys researchers to GitHub projects written in Chinese, including anti-censorship tools. 

Related: China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments

Related: China-Linked ‘Redfly’ Group Targeted Power Grid

Related: Chinese Cyberspies Targeting ASEAN Entities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights