Hackers Exploit Firewalls to Infiltrate Government Networks Worldwide
In a startling revelation, network security appliances like firewalls, designed to safeguard against cyber threats, have become the Achilles’ heel exploited by hackers to breach the very systems they were meant to defend. Cisco has recently disclosed that its firewalls were used as entry points by sophisticated attackers to compromise multiple government networks globally over the past few months, in a campaign dubbed ArcaneDoor.
Unidentified Threat Actor with State-Sponsored Characteristics
The hackers responsible for these intrusions, referred to as UAT4356 by Cisco’s security division Talos and STORM-1849 by Microsoft researchers who assisted in the investigation, could not be definitively linked to any previously tracked incidents. However, based on the group’s focus on espionage and their level of sophistication, Cisco believes the hacking campaign to be state-sponsored.
“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco’s Talos researchers reads.
While Cisco refrained from attributing the intrusions to a specific country, sources familiar with the investigation suggest that the campaign appears to align with China’s state interests.
Exploiting Newly Discovered Vulnerabilities in Cisco ASA Products
The hacking campaign, which commenced as early as November 2023, with the majority of intrusions occurring between December and early January of this year, came to light when Cisco learned of the first victim. The subsequent investigation uncovered additional victims, all involving government networks worldwide.
In these intrusions, the hackers exploited two previously unknown vulnerabilities in Cisco’s ASA products. The first, dubbed Line Dancer, allowed the attackers to execute malicious code in the memory of the network appliances, enabling them to issue commands, spy on network traffic, and exfiltrate data. The second vulnerability, named Line Runner, ensured that the hackers’ malware maintained access to the targeted devices even after reboots or updates. It remains unclear whether these vulnerabilities served as the initial access points or if the hackers gained access through other means before exploiting the Cisco appliances.
Patching Vulnerabilities and Mitigating Risks
In response to these findings, Cisco has released software updates to address both vulnerabilities and has provided guidance on detecting and remediating any compromised devices. The company emphasizes the importance of regularly updating and patching network appliances to mitigate the risk of such attacks.
The Growing Trend of Targeting Security Appliances
This incident is not an isolated case. In recent years, there has been a growing trend of hackers targeting security appliances as a means to gain and maintain access to victim networks. The Russian state hacking group known as Sandworm, for example, has been known to exploit vulnerabilities in edge devices used by Ukrainian organizations for data-destroying cyberattacks. The lack of visibility and monitoring in these edge devices has sometimes allowed Sandworm to wipe a victim network while retaining control of the compromised device, enabling them to strike the same network repeatedly.
“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant’s head of threat intelligence. “This is no longer an emerging trend. It’s established.”
Hultquist points out that China is particularly adept at discovering and exploiting zero-day vulnerabilities in network appliances, as evidenced by their recent campaign targeting Cisco firewalls. He anticipates more such incidents in the future, as China’s cyberspies continue to weaponize devices intended to protect target networks against their owners.
“It’s unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we’ll almost certainly see several more zero-days in security appliances this year.”
As the threat landscape continues to evolve, organizations must remain vigilant, regularly update and patch their network appliances, and implement robust monitoring and incident response capabilities to detect and mitigate such sophisticated attacks targeting their security infrastructure.
6 Comments
“ArcaneDoor” cracking Cisco firewalls? Sounds like a plot twist in a spy novel!
Guess even Cisco isn’t safe from ‘ArcaneDoor’—what’s next, the matrix itself?
“ArcaneDoor” just made Cisco’s firewalls look like Swiss cheese, and all the king’s horses and all the king’s men might not put cybersecurity back together again!
Wow, “ArcaneDoor” really showing government firewalls who’s boss, huh?
“ArcaneDoor” slicing through Cisco like butter, talk about a wake-up call for cybersecurity!
“ArcaneDoor” hacking Cisco, now that’s a spicy cybersecurity nightmare!