Dive Brief:
- Cisco is warning that state-linked hackers are engaged in an espionage-focused campaign, called ArcaneDoor, targeting perimeter network devices from Cisco and potentially other companies for malicious attacks dating back to late 2023.
- The threat actor, which Cisco Talos identifies as UAT4356 and Microsoft tracks as Storm-1849, deployed malicious backdoors against a small group of customers using Cisco devices, Cisco Talos said in a threat advisory. The customers were running Cisco Adaptive Security Appliance software or Cisco Firepower Threat Defense software.
- Cisco released patches for the vulnerabilities, listed as CVE-2024-20353, with a CVSS score of 8.6, and CVE-2024-20359, with a CVSS score of 6.0, and is urging customers to immediately update their systems.
Dive Insight:
Cisco Talos said researchers and the company’s product security team were alerted in early 2024 by a customer expressing concerns about security issues related to their Cisco Adaptive Security Appliances.
The initial investigation linked suspicious activity to a group of government network customers across the globe, Cisco Talos said. The probe identified actor-controlled infrastructure starting in November 2023, however testing and development was traced back to July 2023.
Researchers have not yet figured out initial access points, but they have identified two implants. The first, a memory resident shellcode interpreter called Line Dancer, was used to execute commands on a compromised device. The hackers used a second backdoor, called Line Runner, to maintain persistence.
Indicators of compromise may include gaps in logs or unexpected reboots, according to the Cisco Talos blog.
Cisco Talos added that information from network telemetry and partners working on the response indicates the threat actors may be interested in targeting network devices from Microsoft and other companies.
A Cisco spokesperson said after responding to customer concerns, the company identified a total of three previously unknown vulnerabilities. The third vulnerability is listed as CVE-2024-20358, which is considered medium risk.
The Cybersecurity and Infrastructure Security Agency on Wednesday added the first two CVEs to its Known Exploited Vulnerabilities catalog. The Canadian Centre for Cyber Security issued a joint advisory on the threat with U.K. and Australian officials.
The campaign marks the latest in a series of suspected state-linked attacks focused on edge devices. A series of high profile campaigns have targeted customers using Ivanti, Citrix and other organizations. Other state linked actors, including Volt Typhoon, have exploited weaknesses in home and small office devices, turning them into botnets.
U.S. and Japanese authorities previously warned about a China-linked threat group called BlackTech, abusing firmware in Cisco and other routers to launch attacks against companies in those countries.
Cisco devices were also targeted by Volt Typhoon starting in late 2023, according to research from Security Scorecard.
Source link