'ArcaneDoor' Cyberspies Hacked Cisco Firewalls To Access Government Networks (wired.com)
- Reference: 0173631072
- News link: https://it.slashdot.org/story/24/04/24/2137210/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks
- Source link: https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/
> Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls [1]served as beachheads for sophisticated hackers penetrating multiple government networks around the world . On Wednesday, Cisco [2]warned that its so-called Adaptive Security Appliances -- devices that integrate a firewall and VPN with other security features -- had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.
>
> The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored. "This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor," a blog post from Cisco's Talos researchers reads. Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.
>
> Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. "The investigation that followed identified additional victims, all of which involved government networks globally," the company's report reads. In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.
Cisco [3]advises that customers apply its new software updates to patch both vulnerabilities.
A [4]separate advisory (PDF) from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. "A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself," the advisory reads.
[1] https://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/
[2] https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
[3] https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
[4] https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/line/ncsc-tip-line-runner.pdf
tech is hard: just outsource your brain (Score:2)
Wired. Ugh. It reads like fiction. Lets just say it's scant on the the details, and for that reason... is this basically just a kind of abdication of duty at so many levels? Nobody really knows jack shit anymore... lets just use the appliance. Bam. Problem solved. So my read of this is that the management of the world just doesn't know what any of this techy stuff means so they outsource their brain to Microsoft or is it VMware and now .. Look managers, politicians, most people are terrified of looking bad
Re: (Score:2)
There's also governments mandating the use of some brands over others. No one ever got fired for buying Cisco/VMWare/Microsoft so those are the technologies which dominate the corporate and government worlds.
initial access unclear (Score:2)
> It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.
Great job guys!
Re: initial access unclear (Score:2)
It's actually very clear, if they had bothered to follow the links to the individual CVE. The two referenced in the article require the attacker to be authenticated and the 3rd is a way to trigger a reboot. So no, they had to use some other exploit to get into the ASA first, or they managed to get ahold of a set of login credentials.
Initial Access Method Still Unknown (Score:2)
They have reverse engineered the implant code and know how it works ... but they still do not know how the implant is getting on to the ASAs. That is not good.
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
Using Known Backdoors Is Hacking? (Score:2)
Come on, It's Cisco. Even I know better than to use their stuff.
Re: (Score:1)
People who work for governments who select vendors may not have quite the knowledge you do.
Re: (Score:2)
Then they should be terminated with prejudice.
Re: (Score:2)
Yes. And more to the point, even some anonymous coward knows this. So I guess the real question is WHY?