TLDR:
- A nation-state threat actor has launched an espionage campaign targeting government networks and critical infrastructure by attacking Cisco firewall appliances.
- Cisco has issued patches for three zero-day vulnerabilities and urged customers to apply them to prevent exploitation by the group known as UAT4356/STORM-1849.
A previously unidentified hacking group believed to be a nation-state threat actor has targeted Cisco firewall appliances in an espionage campaign named “ArcaneDoor.” The group is leveraging three zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, prompting urgent patching from cybersecurity agencies worldwide. The campaign, monitored since early this year, is sophisticated and involves novel techniques targeting multiple global entities. The U.S. CISA has added two of the critical bugs to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to apply patches by May 1.
The threat actor, tracked as UAT4356 by Cisco and STORM-1849 by Microsoft, has deployed backdoors named “Line Runner” and “Line Dancer” to perform malicious actions like configuration modifications and network traffic capture. The attack underscores the trend of state-sponsored actors targeting perimeter network devices, which act as perfect intrusion points for espionage campaigns, as noted by Cisco Talos. The campaign’s sophistication and scope are indicative of a well-resourced and sophisticated state-sponsored actor, raising concerns about the security of VPN services and network infrastructure globally.