Network security devices, such as firewalls, are intended to keep hackers out. Instead, digital intruders increasingly target them as the weak link that allows them to plunder the very systems those devices are meant to protect. In the case of a hacking campaign in recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers who penetrated multiple government networks around the world.
On Wednesday, Cisco warned that its so-called Adaptive Security Appliances (devices that integrate a firewall and VPN with other security features) had been attacked by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant’s equipment to compromise government targets. worldwide in a hacking campaign. It’s called ArcaneDoor.
The hackers behind the intrusions, which Cisco’s security division Talos calls UAT4356 and which Microsoft researchers contributing to the investigation called STORM-1849, could not be clearly linked to any previous intrusion incidents that the companies they would have tracked. However, based on the espionage approach and sophistication of the group, Cisco says the hack appeared to be state-sponsored.
“This actor used customized tools that demonstrated a clear focus on espionage and deep knowledge of the devices they targeted, hallmarks of a sophisticated state-sponsored actor,” reads a blog post from Talos researchers. from Cisco.
Cisco declined to say which country it believed was responsible for the intrusions, but sources familiar with the investigation told WIRED that the campaign appears to be aligned with China’s state interests.
Cisco says the hacking campaign began in November 2023, and that most of the intrusions took place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved global government networks,” the company’s report reads.
In those intrusions, hackers exploited two recently discovered vulnerabilities in Cisco’s ASA products. One, which it calls Line Dancer, allows hackers to execute their own malicious code in the memory of network devices, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco calls Line Runner, would allow hackers’ malware to maintain access to target devices even when they are rebooted or updated. It is not yet clear whether the vulnerabilities served as initial access points into victims’ networks, or how hackers could have gained access before exploiting Cisco devices.
Cisco has released software updates to patch both vulnerabilities and advise that customers implement them immediately, along with other recommendations to detect if they have been attacked. Despite hackers’ Line Runner persistence mechanism, a separate notice from the UK’s National Cyber Security Center notes that physically disconnecting an ASA device cuts off hackers’ access. “It has been confirmed that a hard reset by unplugging the Cisco ASA plug prevents Line Runner from reinstalling,” the advisory reads.
The ArcaneDoor hacking campaign represents just the latest series of intrusions targeting network edge applications, sometimes called “edge” devices, such as email servers, firewalls, and VPNs (often devices intended to provide security), whose Vulnerabilities allowed hackers to gain a foothold inside. a victim’s network. Cisco’s Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that have seen attacks through edge devices in recent years. “Gaining a foothold in these devices allows an actor to directly enter an organization, redirect or modify traffic, and monitor network communications,” they write. “Over the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations, critical infrastructure entities that are likely to be strategic targets of interest to many foreign governments.”