State-linked threat campaign continues to target Cisco devices

State-linked threat campaign continues to target Cisco devices



Cisco has issued a warning regarding a campaign named ArcaneDoor, involving state-linked hackers engaged in espionage activities. The campaign targets perimeter network devices manufactured by Cisco, as well as potentially other companies, with malicious attacks dating back to late 2023. The threat actor has been identified by Cisco Talos as UAT4356 and by Microsoft as Storm-1849, deploying malicious backdoors against a small group of customers using Cisco’s Adaptive Security Appliance software or Cisco’s Firepower Threat Defense software. Cisco has released patches for the vulnerabilities, listed as CVE-2024-20353 and CVE-2024-20359, urging customers to update their systems immediately.

The investigation into the security issues related to Cisco’s Adaptive Security devices began in early 2024 when a customer raised concerns, eventually linking suspicious activity to a group of government network customers globally. The infrastructure controlled by the threat actors was identified as early as November 2023, with testing and development dating back to July 2023. While researchers have not pinpointed the initial access points, they have identified two implants – Line Dancer, a memory-resident shellcode interpreter used for executing commands, and Line Runner, a backdoor for maintaining persistence. Indicators of compromise may include log gaps or unexpected reboots.

Cisco Talos indicates that telemetry data and response efforts from partners suggest that threat actors may target network devices from Microsoft and other companies. Responding to customer concerns, Cisco discovered three previously unknown vulnerabilities, with the third vulnerability being classified as medium risk (CVE-2024-20358). The Cybersecurity and Infrastructure Security Agency added the first two CVEs to its list of known exploited vulnerabilities, with a joint advisory issued by the Canadian Centre for Cyber Security, the United Kingdom, and Australia.

This campaign is the most recent in a series of state-linked attacks focusing on edge devices. Previous campaigns have targeted customers utilizing Ivanti, Citrix, and other organizations, while other state-linked actors such as Volt Typhoon have exploited vulnerabilities in home and small office devices to create botnets. American and Japanese authorities have previously warned about a China-linked threat group named BlackTech, abusing Cisco and other routers’ firmware to target companies in those countries. Additionally, Cisco devices were targeted by Typhoon Volt starting in late 2023, as highlighted by Security Scorecard research.

Article Source
https://www.cybersecuritydive.com/news/cisco-network-devices-malicious-backdoors/714283/