Cyber security devices such as firewalls are intended to keep hackers out. Instead, digital intruders are increasingly targeting them as a weak link that allows them to loot the very systems those devices are supposed to protect. In the event of a hacking campaign in recent months, Cisco has now revealed that its firewall acted as a bridgehead for sophisticated hackers to penetrate many government networks around the world.
On Wednesday, Cisco warning that so-called Adaptive Security Appliances—devices that integrate firewalls and VPNs with other security features—have been targeted by state-sponsored spies who exploit two zero-day vulnerability in the cyber giant's gear to attack government targets globally in a cyberattack campaign called ArcaneDoor.
The hackers behind the intrusions, which Cisco's Talos security division called UAT4356 and which Microsoft researchers who contributed to the investigation have dubbed STORM-1849, could not be clearly linked to any any previous intrusion incidents that the company has tracked. However, based on the group's espionage goals and sophistication, Cisco said the hack appeared to be state-sponsored.
“This actor used unique tools to demonstrate a clear focus on espionage and in-depth knowledge of the devices they targeted, signs of a sophisticated actor being state-sponsored,” said a blog post from Cisco's Talos researchers.
Cisco declined to say which country is believed to be responsible for the intrusions, but sources familiar with the investigation told WIRED that the campaign appears to align with China's state interests.
Cisco said the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when they became aware of the first victim. “The subsequent investigation identified additional victims, all of whom were linked to government networks globally,” the company report said.
During those intrusions, hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, called Line Dancer, allows hackers to run their own malicious code in the memory of network devices, allowing them to issue commands to the devices, including the ability to monitor network traffic and steal data. Whether. The second vulnerability, which Cisco calls Line Runner, would allow hackers' malware to maintain access to target devices even when they are rebooted or updated. It remains unclear whether the vulnerabilities served as initial entry points into victim networks or how hackers were able to gain access before exploiting Cisco devices.
Cisco has released software updates to patch both the vulnerabilities and Advise that customers should implement them immediately, along with other suggestions to detect whether they are being targeted. Despite the hackers' Line Runner persistence mechanism, one private consultation from the UK's National Cyber Security Center notes that physically unplugging the ASA device will disrupt a hacker's access. “A hard reboot by unplugging the power plug from the Cisco ASA has been confirmed to prevent the Line Runner from reinstalling itself,” the advisory said.
The ArcaneDoor hacking campaign represents just the latest series of intrusions targeting network peripheral applications, sometimes called “edge” devices such as email servers, firewalls, and VPNs—usually device intended to provide security—has a vulnerability that allows hackers to gain staging points inside the victim's network. Cisco's Talos researchers warned about that broader trend in their report, mentioning highly sensitive networks they saw being targeted through edge devices in recent years. . “Gaining a foothold on these devices allows an actor to directly engage an organization, reroute or modify traffic, and monitor communications on the network,” they wrote. “Over the past two years, we have seen a strong and sustained increase in the targeting of these devices at sectors such as telecommunications providers and energy industry organizations—the Critical infrastructure entities may be strategic targets of interest to many foreign governments.”
