The recently uncovered cyberespionage campaign named ArcaneDoor, which involves hacked Cisco firewalls, may be the work of a Chinese threat actor, according to threat hunting and attack surface management firm Censys.
Cisco’s threat intelligence and research unit Talos revealed in late April that it had been investigating an espionage campaign involving exploitation of two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) firewall platform.
The company said a previously unknown group tracked as UAT4356 and Storm-1849 had targeted government networks worldwide in a campaign it tracks as ArcaneDoor.
The initial attack vector has yet to be identified, but Cisco has determined that the attacks involved exploitation of two zero-day vulnerabilities: CVE-2024-20353, which allows DoS attacks, and CVE-2024-20359, which can be used for persistent local code execution.
The attackers implanted custom malware, executed commands, and attempted to exfiltrate data from compromised devices.
Cisco learned about the attacks in early 2024, but evidence suggests the attackers may have conducted tests as early as July 2023.
While it shared little attribution information, Talos did say that it’s confident the attacks have been conducted by a state-sponsored threat actor.
When the news broke, Wired said it had learned from sources that the attacks appeared aligned with China’s interests. Research conducted by Censys into the indicators of compromise (IoCs) provided by Talos seems to reinforce the theory.
“When we investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators, we discovered compelling data suggesting the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software,” Censys said, pointing out that it’s currently difficult to draw definitive conclusions.
Censys found that four of the five networks hosting systems that present an SSL certificate identified by Talos are based in China.
An investigation of the attacker-controlled IP addresses showed that half of the 22 IPs identified by Talos are still online, indicating ongoing activity.
Further analysis led Censys researchers to GitHub projects written in Chinese, including anti-censorship tools.
Related: China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments
