Network security devices like firewalls are designed to keep hackers out. Instead, digital intruders are increasingly targeting them as a weak link, allowing them to prey on the very systems these devices are designed to protect. In a hacking campaign in recent months, Cisco is now revealing that its firewalls served as bridgeheads for sophisticated hackers who penetrated multiple government networks around the world.
On Wednesday, Cisco warned that its so-called Adaptive Security Appliances – devices that integrate a firewall and VPN with other security features – were targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant’s equipment to target government targets Compromise Worldwide, a hacking campaign is called ArcaneDoor.
The hackers behind the intrusions, which Cisco’s security department calls Talos UAT4356 and which Microsoft researchers involved in the investigation have referred to as STORM-1849, could not be clearly linked to previous intrusion incidents that the companies had tracked. However, based on the group’s espionage focus and sophistication, Cisco says the hacking appears to have been state-sponsored.
“This actor used tailored tools that demonstrated a clear focus on espionage and deep knowledge of the devices he targeted, hallmarks of a sophisticated, state-sponsored actor,” said a blog post from Cisco’s Talos researchers.
Cisco declined to say which country it believes is responsible for the intrusions, but sources familiar with the investigation tell WIRED that the campaign appears to be aligned with China’s state interests.
According to Cisco, the hacking campaign began as early as November 2023, with most of the breaches occurring between December and early January of this year, when the company learned of the first victim. “The subsequent investigation identified additional victims, all of which involved government networks around the world,” the company’s report said.
In these intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco’s ASA products. One of them, called “Line Dancer,” allows hackers to execute their own malicious code in the memory of network devices, giving commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco calls Line Runner, would allow the hackers’ malware to maintain access to target devices even if they are rebooted or updated. It’s not yet clear whether the vulnerabilities served as initial entry points into the victim’s networks or how else the hackers might have gained access before exploiting the Cisco appliances.
Cisco has released software updates to address both vulnerabilities and recommends customers implement them immediately, along with other recommendations to determine whether they have been attacked. Despite the hackers’ line-runner persistence mechanism, a separate advisory from the UK’s National Cybersecurity Center notes that physically disconnecting an ASA device breaks the hackers’ access. “It has been confirmed that a hard reboot by unplugging the Cisco ASA prevents Line Runner from reinstalling itself,” the advisory states.
The ArcaneDoor hacking campaign represents just the latest series of attacks on network peripheral applications, sometimes referred to as “edge” devices such as email servers, firewalls and VPNs – often devices intended to provide security – whose vulnerabilities allow hackers to access them allowed to obtain a staging point inside a victim’s network. Cisco’s Talos researchers warn of this broader trend in their report, citing highly sensitive networks that have been attacked via edge devices in recent years. “If an actor gains a foothold on these devices, they can directly penetrate an organization, redirect or alter traffic, and monitor network communications,” they write. “Over the past two years, we have seen a dramatic and sustained increase in attacks on these devices in areas such as telecommunications providers and energy sector organizations – critical infrastructure facilities that are likely strategic targets of interest to many foreign governments.”