May 6, 2024 at 10:05AM
A cyber espionage campaign dubbed ArcaneDoor targeted perimeter network devices from various vendors, possibly linked to China. The attacks involved deploying custom malware and exploiting flaws in Cisco devices. The threat actor’s interest in Microsoft Exchange servers and other vendor devices suggests a Chinese involvement. Additionally, a malware known as PlugX has been detected in over 170 countries, mainly targeting nations involved in China’s Belt and Road Initiative. The malware is designed to gather intelligence on the initiative’s strategic and security concerns.
From the meeting notes, it is evident that there has been a cyber espionage campaign known as ArcaneDoor, targeting perimeter network devices from several vendors, including Cisco. This campaign appears to be the work of a suspected sophisticated state-sponsored actor tracked as UAT4356 (aka Storm-1849). The activity commenced around July 2023, with targeted attacks deploying custom malware named Line Runner and Line Dancer.
The attacks have targeted Microsoft Exchange servers and network devices from various vendors. Telemetry data reveals the threat actor’s interest in these systems. Notably, the attacks point to potential involvement of a threat actor based in China, as indicated by the IP addresses associated with the attackers’ infrastructure, particularly those linked to Tencent and ChinaNet autonomous systems.
There are also indications that the ArcaneDoor campaign could be the work of a Chinese actor, with the presence of hosts running services associated with anti-censorship software designed to circumvent The Great Firewall.
Additionally, there is mention of nation-state actors affiliated with China increasingly targeting edge appliances with zero-day flaws from various vendors.
Moreover, there is information about the successful sinkholing of a command-and-control (C2) server linked to the PlugX trojan and a worm’s presence in more than 170 countries, primarily in regions strategic to the security of the Belt and Road Initiative.
This demonstrates a significant cybersecurity threat with potential geopolitical implications. It’s essential to consider the impact of such campaigns on global security and infrastructure, particularly in regions where Chinese infrastructure investments are substantial.