CENSYS has unveiled information regarding a new cyber espionage campaign known as Arcanedoor, believed to have ties to China. The attacks reportedly commenced in July 2023, with the first attack being detected in January 2024.
The attacks were conducted by the UAT4356 (Storm-1849) group, utilizing two types of malicious software named Line Runner and Line Dancer. These programs exploited vulnerabilities in Cisco Adaptive Security Appliances, which have since been patched by developers ( cve-2024-20353 with a CVSS score of 8.6 and cve-2024-20359 with a CVSS score of 6.0).
During the investigation, it was discovered that the attackers targeted Microsoft Exchange servers and devices from various manufacturers. Analysis of the IP addresses revealed a possible link to China, with 4 out of 5 hosts using SSL certificates related to the attackers’ infrastructure being situated on networks belonging to Tencent and Chinanet.
Furthermore, one of the hosts was located in Paris and was linked to the anti-censorship tool marzban, which was developed by Chinese developers to evade the Great Chinese Firewall (Golden Shield).
Determining whether the cyber attacks are state-sponsored by Chinese authorities necessitates a comprehensive approach. While analyzing the networks hosting the hackers’ infrastructure is a piece of the puzzle, other factors like attack techniques, targets, and geopolitical implications must also be considered. Experts are likely to continue their investigation to gather more insights into the motives behind the attacks.
Prior to this revelation, Cisco had issued a warning regarding the compromise of Adaptive Security Appliances, which integrate firewall, VPN, and other security features, by a hacker group linked to an adversarial state. The hackers exploited two previously undisclosed vulnerabilities in Cisco products to breach government entities in multiple countries worldwide, an operation dubbed Arcanedoor.