Cybersecurity researchers have identified a malicious campaign in network equipment from multiple vendors, including Cisco, to deploy custom malware and covertly collect data on government networks. The campaign, called ArcaneDoor by the cybersecurity company Cisco Talos, targeted the protection devices of a network perimeter, in this case firewalls or VPNs.
A “sustained increase in targeting” in telecoms and energy
Advertisement
“Network perimeter devices provide the ideal intrusion point for espionage campaigns (…)underlines the Cisco Talos report. Over the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in the area of telecom providers and energy sector organizations – critical infrastructure entities that are likely targets of “interest to many foreign governments.”
Cisco was alerted to suspicious activity on one of its Adaptive Security Appliances (ASA) in January 2024. Researchers subsequently identified a “small set of customers”involving all “global government networks”. The hackers actually worked on the cyberattack from July 2023, before controlling a first infrastructure in November.
Hackers have carried out two 0-day attacks, which exploit previously unknown security vulnerabilities to gain access to a system. The first vulnerability (CVE-2024-20353) stems from an error when parsing an HTTP request, allowing hackers to execute commands on the compromised device. With the second vulnerability (CVE-2024-20359), hackers could preload VPN clients and plug-ins to execute arbitrary code with root-level privileges.
Capabilities “revealing espionage”
Advertisement
Cybersecurity researchers at Cisco Talos attributed this cyberattack to a previously undocumented malicious actor dubbed UAT4356, or Storm-1849 by Microsoft. “UAT4356 deployed two backdoors as part of this campaign, “Line Runner” and “Line Dancer”, which were used collectively to carry out malicious actions on the target, including configuration modification, reconnaissance, capture and exfiltration of network traffic and potentially lateral movement.”
While “Line Dancer” allows cyberattackers to download and execute payloads of malicious code to capture Internet traffic and cover their tracks, “Line Runner” is a persistent backdoor, surviving reboots and updates. According to an advisory published by the cybersecurity agencies of Australia, Canada and the United Kingdom, “These capabilities are indicative of espionage conducted by a sophisticated, well-resourced, state-sponsored actor.”
Cisco routers particularly vulnerable
Cisco Talos warns: “Information from intelligence partners indicates the actor is interested in and potentially attacks network devices from Microsoft and other vendors.” The three corrective patches, including two deemed critical, have since been released, regardless of the network equipment vendor.
The devices of the number 1 network hardware have already been targeted by cybercriminals acting on behalf of a State. Last February, end-of-life Cisco and Netgear routers were infected and used by the Chinese hacker group Volt Typhoon. Last July, British and American cybersecurity agencies warned against the Russian hacker group Fancy Bear, which had exploited flaws in certain vulnerable Cisco routers to carry out reconnaissance and deploy malware.
Selected for you