May 3, 2024 at 09:10AM
The cyberespionage campaign ArcaneDoor, targeting government networks with hacked Cisco firewalls, is likely operated by a Chinese state-sponsored threat actor. Exploiting two zero-day vulnerabilities, the attackers used custom malware to execute commands and exfiltrate data. Censys research supports the connection to China, citing IP addresses and the presence of Chinese-developed software.
From the meeting notes, the following key takeaways can be identified:
1. A cyberespionage campaign named ArcaneDoor was uncovered, targeting government networks worldwide. The campaign is believed to be the work of a state-sponsored Chinese threat actor, based on evidence and analysis by threat hunting and attack surface management firm Censys, as well as insights from Cisco’s threat intelligence and research unit Talos.
2. The campaign involves the exploitation of two zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewall platform, specifically CVE-2024-20353 and CVE-2024-20359, enabling denial-of-service attacks and persistent local code execution.
3. The attackers implanted custom malware, executed commands, and attempted to exfiltrate data from compromised devices. Additionally, there is evidence to suggest that the attacks may have been ongoing since as early as July 2023.
4. Analysis by Censys points to strong indicators of Chinese involvement, including the presence of Chinese-developed anti-censorship software and connections to major Chinese networks.
5. Ongoing activity has been observed, as half of the attacker-controlled IP addresses identified by Talos are still online.
These takeaways encapsulate the critical information regarding the ArcaneDoor cyberespionage campaign, the attributed threat actor, and the ongoing nature of the attacks.