‘ArcaneDoor’ Cyberspies Hacked Cisco Firewalls to Access Government Networks

[…] Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant’s gear to compromise government targets globally in a hacking campaign it’s calling ArcaneDoor.

The hackers behind the intrusions, which Cisco’s security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn’t be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group’s espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.


In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco’s ASA products. One, which it’s calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers’ malware to maintain its access to the target devices even when they were rebooted or updated.


Despite the hackers’ Line Runner persistence mechanism, a separate advisory from the UK’s National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers’ access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.


State-sponsored hackers’ shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company’s threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers’ access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK’s NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It’s observed the unit of Russia’s GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant’s head of threat intelligence. “This is no longer an emerging trend. It’s established.”


Source: ‘ArcaneDoor’ Cyberspies Hacked Cisco Firewalls to Access Government Networks | WIRED

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com