State-sponsored attackers backdoor Cisco firewalls to hack into government networks

A report from Cisco Talos Intelligence, backed up by a joint advisory issued by the national cyber security agencies in Australia, Canada, the UK and the US, confirms that a previously unknown state-sponsored espionage hacking group has been compromising Cisco firewalls to spy on Western government networks.

The report, ‘ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices‘, confirms that state-sponsored actors are targeting perimeter network devices from multiple vendors, including Cisco.

Although the use of “sophisticated” has been devalued courtesy of overuse, it applies here. “This actor utilised bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted,” the report states, “hallmarks of a sophisticated state-sponsored actor.”

Related: What are zero-day exploits?

First signs of hacks on Cisco firewalls

The hack was first observed by a Cisco customer in January 2024, who reported concerns to Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos. However, the spying campaign is now thought to have started in November 2023.

There are still a lot of unknowns. We don’t know what initial access vector was used, in particular, although Cisco has confirmed that two zero-day vulnerabilities were exploited (CVE-2024-20353 and CVE-2024-20359). The zero-days, denial of service and persistent local code execution respectively, were found in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewall products. Patches for both are now available.

The critical nature of the Arcane Door investigation is highlighted by the fact that “several external intelligence partners” were involved, and four of the nations that comprise the Five Eyes intelligence alliance have issued security advisories.

The US Cybersecurity and Infrastructure Security Agency (CISA) says that it “strongly encourages users and administrators to apply the necessary updates, hunt for any malicious activity, report positive findings to CISA”. The UK National Cyber Security Centre (NCSC) – a part of GCHQ – recommends “following vendor best practice in the mitigation of this activity, which includes applying security updates to address vulnerabilities”.

A joint advisory can be found at the Canadian Centre for Cyber Security (CCCS) and warns that “the affected products are predominantly Cisco ASA devices, series ASA55xx and running firmware ASA versions 9.12 and 9.14. These affected products have been compromised by malicious actors who successfully established unauthorised access through WebVPN sessions, commonly associated with Clientless SSLVPN services.”

Which state sponsored the Cisco hacks?

So far, neither Cisco nor the national cyber security agencies have attributed the hacks to any specific nation. Instead, Cisco Talos is tracking the hacking group as UAT4356 and Microsoft’s Threat Intelligence Center as STORM-1849 (there is intelligence that Microsoft network devices are of interest to the group).

However, both China and Russia are front and centre in the suspect ID parade.

“We’ve seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software,” said Andrew Costis, Chapter Lead of the Adversary Research Team at attackiq.com.

“Once an exploit is actively being used in the wild, it then comes down to the goals and objectives of the actors and groups post-compromise,” he added.

Costis says that the initial access vector will be unique from one zero-day to the next, but warns the post-compromise TTPs [tactics, techniques, procedures) are equally important to focus on.

“Testing known adversary behaviours, TTPs, by testing and validating your security controls through breach and attack simulation is not only recommended by CISA but should be part of the layered approach to defensive operations.”