The cyber espionage campaign targeting perimeter network devices, including Cisco, may have been conducted by China-linked actors, as per new revelations by attack surface management firm Censys.
Known as ArcaneDoor, the campaign began around July 2023, with the first attack identified in early January 2024.
The attacks, attributed to an unknown sophisticated state-sponsored actor known as UAT4356 (Storm-1849), involved deploying two custom malware named Line Runner and Line Dancer.
While the initial access method remains unknown, the actor exploited two patched flaws in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to plant Line Runner.
Telemetry data indicated the threat actor’s interest in Microsoft Exchange servers and devices from other vendors.
Censys, examining the IP addresses controlled by the actor, suggested that the attacks point to potential Chinese involvement.
This inference is based on the majority of SSL certificates associated with the attackers’ infrastructure being linked to Tencent and ChinaNet autonomous systems.
Among the threat actor-managed IP addresses is a host in Paris with connections to an anti-censorship tool named Marzban hosted on GitHub.
The investigation implies that the cyber espionage activities may be related to Chinese actors, given the use of anti-censorship software by the attackers.
The sinkholing of a command-and-control server linked to the PlugX trojan revealed a concerning presence of the malware across multiple countries, including Nigeria, India, China, Iran, and Indonesia.
Such activities suggest a connection to the Belt and Road Initiative by China, impacting maritime and economic aspects in affected regions.
Nations involved in the Initiative have witnessed increasing cyber threats, targeting edge appliances with zero-day vulnerabilities for covert access.
The cybersecurity landscape continues to evolve, with state-sponsored actors targeting sensitive infrastructure for espionage purposes, highlighting the need for enhanced cybersecurity measures.