China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices

May 6, 2024

A recently discovered cyber espionage campaign, dubbed ArcaneDoor, has been linked to potential China-based actors. This campaign, which began around July 2023, has been targeting perimeter network devices from numerous vendors, including Cisco. The first confirmed attack was detected in early January 2024. The campaign appears to be the work of an as-yet-undocumented state-sponsored actor, known as UAT4356 or Storm-1849. Two custom malware, named Line Runner and Line Dancer, were used in the attacks.

While the initial access route used for the intrusions remains unclear, it has been noted that the attackers exploited two now-patched vulnerabilities in Cisco Adaptive Security Appliances, specifically CVE-2024-20353 and CVE-2024-20359, to persist Line Runner. The threat actor has shown interest in Microsoft Exchange servers and network devices from other vendors.

Telemetry data collected during the investigation has revealed some intriguing details. Analysis of the IP addresses under the control of the attacker suggests that the attacks may be the work of a threat actor based in China. This theory is supported by the fact that four out of five online hosts presenting the SSL certificate associated with the attackers' infrastructure are linked to Tencent and ChinaNet autonomous systems.

Furthermore, among the IP addresses managed by the threat actor is a Paris-based host, with the subject and issuer set as 'Gozargah'. This appears to be a reference to a GitHub account hosting an anti-censorship tool named Marzban, which is powered by another open-source project, Xray, with a website written in Chinese. This suggests that some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall and that a significant number of these hosts are based in prominent Chinese networks.

In recent years, nation-state actors affiliated with China have increasingly targeted edge appliances, exploiting zero-day flaws in systems from Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate targets of interest and deploy malware for persistent covert access.

French cybersecurity firm Sekoia reported that it successfully sinkholed a command-and-control (C2) server linked to the PlugX trojan in September 2023 by purchasing the IP address tied to a variant of the malware for just $7. Monitoring of the sinkholed IP address has revealed the worm's presence in more than 170 countries, spanning 2.49 million unique IP addresses over a six-month period. A majority of the infections have been detected in countries participating in China's Belt and Road Initiative, suggesting that the worm was developed to collect intelligence about the strategic and security concerns associated with the initiative.

Related News

• CISA Adds Cisco and CrushFTP Flaws to Known Exploited Vulnerabilities Catalog
• Government Networks Worldwide Breached by ArcaneDoor Hackers Exploiting Cisco Zero-Days

Latest News

• Goldoon Botnet Exploits Old D-Link Router Vulnerability for Further Attacks
• Active Exploitation of GitLab Vulnerability: CISA Issues Warning
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks
• Brocade SANnav Management Software Vulnerabilities Allow Device Compromise