'ArcaneDoor' Cyberspies Hacked Cisco Firewalls To Access Government Networks

An anonymous reader quotes a report from Wired: Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world. On Wednesday, Cisco warned that its so-called Adaptive Security Appliances -- devices that integrate a firewall and VPN with other security features -- had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," a blog post from Cisco's Talos researchers reads. Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. "The investigation that followed identified additional victims, all of which involved government networks globally," the company's report reads. In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances. Cisco advises that customers apply its new software updates to patch both vulnerabilities.

A separate advisory (PDF) from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. "A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself," the advisory reads.

Using Known Backdoors Is Hacking?

[zenlessyank]

Come on, It's Cisco. Even I know better than to use their stuff.

Re:

[olsmeister]

People who work for governments who select vendors may not have quite the knowledge you do.

Re:

[zenlessyank]

Then they should be terminated with prejudice.

Re:

[zenlessyank]

Yes. And more to the point, even some anonymous coward knows this. So I guess the real question is WHY?

Re:

[Darinbob]

Because decision makers aren't always the people with the most knowledge. There of often other considerations; you already have a lot of Cisco products and are locked in, or. If corporations are buying Cisco, why would governments be any different. Granted, _some_ government agencies have the experts or have strict contracting requirements, such as the military. But Podunk County Unified School district does not, and is often stuck relying on the handwaving sales pitch such that they end up buying overp

Re:

[Sique]

If someone's understanding of network security consists of "Don't use X", I know I will never hire him for any consulting work.

Re:

[zenlessyank]

False dichotomy. Assuming someone's understanding all boils down to them not liking a company for consistent vulnerable hardware is, um, fucking retarded. Especially if they show the documented vulnerabilities and recommend some alternative that is documented NOT to have those vulnerabilities or others and if they address new issues properly in time.

Re:

[Sique]

Not in this case. If someone tells me, that he mistrusts Cisco products and would rather not use them, that's fine. If somone tells me that "even he knows better than to use Cisco", I have to assume that his qualification is that of an armchair expert.

Re:

[zenlessyank]

Assume.

And I know to walk out of the interview when I detect ego infected bullshit.

Re:

[phoenix321]

OK. What about "Don't use Telnet"?

Re:

[The-Ixian]

Seems like Cisco is the Boeing of the network equipment world...

tech is hard: just outsource your brain

[Big Hairy Gorilla]

Wired. Ugh. It reads like fiction. Lets just say it's scant on the the details, and for that reason... is this basically just a kind of abdication of duty at so many levels? Nobody really knows jack shit anymore... lets just use the appliance. Bam. Problem solved. So my read of this is that the management of the world just doesn't know what any of this techy stuff means so they outsource their brain to Microsoft or is it VMware and now .. Look managers, politicians, most people are terrified of looking bad with technology, so they just say "Apple". and Solved. or in this case it's Microsoft and or VMware.... Like IBM before them, nobody ever got fired using them, so we are told. So here we are in, I've read 85% of the US govt, incl. Military uses Microsoft. Is this really about Cisco? or is it about outsourcing all critical infrastructure to a single source of failure?

Re:

[DMJC]

There's also governments mandating the use of some brands over others. No one ever got fired for buying Cisco/VMWare/Microsoft so those are the technologies which dominate the corporate and government worlds.

initial access unclear

[awwshit]

> It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Great job guys!

Re: initial access unclear

[NagrothAgain]

It's actually very clear, if they had bothered to follow the links to the individual CVE. The two referenced in the article require the attacker to be authenticated and the 3rd is a way to trigger a reboot. So no, they had to use some other exploit to get into the ASA first, or they managed to get ahold of a set of login credentials.

Re:

[awwshit]

> they had to use some other exploit to get into the ASA first, or they managed to get ahold of a set of login credentials.

Right, initial access is unclear.

Re:

[Big Hairy Gorilla]

UMMM..... did someone say Microsoft??

Initial Access Method Still Unknown

[laughingskeptic]

They have reverse engineered the implant code and know how it works ... but they still do not know how the implant is getting on to the ASAs. That is not good.

We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.

Hackers targeting security appliances

[Mirnotoriety]

> Network security appliances like firewalls are meant to keep hackers out ..

Who knew hackers would target Network security appliances :o