At least one cybersecurity company is attributing the recent ArcaneDoor campaign targeting perimeter network devices from several vendors to Chinese state-sponsored cyber actors based on several factors discovered while investigating infrastructure used during the campaign.
The researchers found that four of the five online hosts presenting the SSL certificate associated with the campaign's infrastructure are linked to Tencent and ChinaNet, both prominent Chinese networks.
Furthermore, one of the IP addresses used by the threat actor has a subject and issuer set as "Gozargah," which is likely related to a GitHub account that hosts an anti-censorship tool named Marzban that leverages another Chinese language project dubbed Xray.
All this implies, according to the researchers, that some hosts used by the threat actor were running services associated with anti-censorship software likely intended to circumvent China's Great Firewall suggesting that ArcaneDoor could be a Chinese-linked endeavour.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Source: The Hacker News
Analysis
In late April 2024, Cisco reported a campaign, dubbed ‘ArcaneDoor’, in which the previously unknown but likely state-sponsored actor, UAT4356, combined CVE-2024-20353 (a denial-of-service flaw) and CVE-2024-20359 (a persistent local code execution bug) to compromise Cisco firewalls, along with other network perimeter devices from other vendors.
It's likely that the information recently discovered linking ArcaneDoor to China represents a failure in UAT4356’s operational security during the planning and execution of the campaign as the infrastructure involved in the campaign wasn’t thoroughly vetted to ensure it had no links to China.
There’s a small chance that another actor conducted a false flag operation, deliberately leaving clues for researchers to discover and use to blame China for the campaign. However, it’s more probable that a mistake was made given the time and resources it would take to vet the infrastructure used during this campaign.
Furthermore, China-linked actors have increasingly targeted edge appliances in recent years, leveraging zero-day flaws to infiltrate networks of interest and deploy malware for persistent and stealthy access.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats emanating from campaigns like ‘ArcaneDoor’. This research contributes to the timely deployment of signatures into Field Effect’s MDR to detect and mitigate these threats.
Field Effect MDR users were automatically notified if an impacted Cisco device was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that all other users of the targeted Cisco devices install the latest security update according to Cisco’s advisory as soon as possible.
Related Articles