Espionage Alert: Chinese Link to “ArcaneDoor” Attacks Revealed
Censys has disclosed details of a new cyber espionage campaign, ArcaneDoor, which is believed to be linked to China. The attacks reportedly began in July 2023, with the first incident detected in January 2024.
The operations were conducted by a group known as UAT4356 (Storm-1849), utilizing two types of malware: Line Runner and Line Dancer. These programs were introduced through vulnerabilities in Cisco Adaptive Security Appliances, which have since been rectified by the developers (CVE-2024-20353 with a CVSS score of 8.6 and CVE-2024-20359 with a CVSS score of 6.0).
The investigation revealed that the perpetrators showed interest in Microsoft Exchange servers and devices from other manufacturers. After analyzing the IP addresses of the hackers, Censys noted a possible Chinese presence. Four out of five hosts using SSL certificates associated with the attackers’ infrastructure are located in networks owned by Tencent and ChinaNet.
Additionally, one of the hosts is situated in Paris and linked to the anti-censorship tool Marzban. Given that Marzban was developed by Chinese programmers, it was designed to circumvent the Great Firewall of China.
Determining whether these cyberattacks are sponsored by Chinese authorities requires a comprehensive approach. While analyzing the networks hosting the hackers’ infrastructure is a part of the puzzle, other factors, such as attack methods, victims, and geopolitical context, must also be considered. The investigation by specialists will likely continue as more detailed information about the objectives of the attacks becomes available.
Earlier, Cisco warned that its Adaptive Security Appliances, which combine firewall, VPN, and other protective components, had been compromised by a hacking group, presumably linked to a hostile state. The hackers exploited two previously unknown vulnerabilities in Cisco’s products to gain access to government facilities across various countries worldwide. The cyberattack has been named ArcaneDoor.