Security researchers at Cisco's Talos unit have discovered a campaign they have named ArcaneDoor, which they say is "the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors".
Under attack are two zero-day flaws in Cisco's firewalls in what has been a five-month campaign, the researchers say, adding that the attacks against Cisco’s Adaptive Security Appliances are the latest aimed at devices which provide a moat that is supposedly secure.
"Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns," the researchers wrote. "As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.
"Gaining a foothold on these devices allows an actor to directly pivot into an organisation, re-route or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in targeting of these devices in areas such as telecommunications providers and energy sector organisations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments."
{loadposition sam08}They said Cisco’s position as a leading global network infrastructure vendor gave its Intelligence and Interdiction team visibility into the general state of network hygiene.
"This also gives us uniquely positioned investigative capability into attacks of this nature," they added. "Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team and Cisco Talos to discuss security concerns with their Cisco Adaptive Security Appliances.
"PSIRT and Talos came together to launch an investigation to assist the customer. During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Centre.
"This actor utilised bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor."
But the danger was not limited to Cisco devices. "...network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — Microsoft Exchange servers and network devices from other vendors," the Talos team wrote.
"Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and are configured to have strong, multi-factor authentication."
The Talos post went into intricate detail about the attacks, providing IOCs and adding that the threat demonstrated several techniques of the MITRE ATT&CK framework.
The post said Cisco was initially alerted to suspicious activity on an ASA device in early 2024. "The investigation that followed identified additional victims, all of which involved government networks globally," they added.
"During the investigation, we identified actor-controlled infrastructure dating back to early November 2023, with most activity taking place between December 2023 and early January 2024. Further, we have identified evidence that suggests this capability was being tested and developed as early as July 2023."
They said Cisco had identified two vulnerabilities that were abused in this campaign (CVE-2024-20353 and CVE-2024-20359), adding that patches for these vulnerabilities had been detailed in Cisco Security Advisories.
The Talos team said they had not determined the initial access vector used in the campaign.
"We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog," they added.
The Talos team acknowledged assistance from the Australian Signals Directorate’s Australian Cyber Security Centre, Black Lotus Labs at Lumen Technologies, the Canadian Centre for Cyber Security, a part of the Communications Security Establishment, Microsoft Threat Intelligence Centre, the UK's National Cyber Security Centre and the US Cybersecurity & Infrastructure Security Agency.