China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

ArcaneDoor, a cyber espionage campaign targeting network devices from multiple vendors, including Cisco, has been linked to China-linked actors based on findings from Censys. The campaign, attributed to a sophisticated state-sponsored actor known as UAT4356 or Storm-1849, began around July 2023 and continued with the first confirmed attack using custom malware named Line Runner and Line Dancer in January 2024. The attackers exploited known vulnerabilities in Cisco Adaptive Security Appliances CVE-2024-20353 and CVE-2024-20359 to gain and maintain access, although the initial access point remains undisclosed.

Further investigations revealed that the threat actor showed a particular interest in Microsoft Exchange servers and network devices from various vendors, indicating a comprehensive targeting approach. The potential Chinese origin of the threat is strongly suggested by several online hosts presenting SSL certificates associated with infrastructure linked to Tencent and ChinaNet autonomous systems. Additionally, one of the IP addresses controlled by the threat actor is linked to a Paris-based host (212.193.2[.]48), which may be related to an anti-censorship tool called Marzban, powered by Chinese-written software known as Xray.

Security Officer Comments:
The combination of attack patterns, infrastructure affiliations, and geopolitical context strongly indicates Chinese state-sponsored involvement in the ArcaneDoor campaign. This aligns with previous instances where Chinese-affiliated nation-state actors targeted network appliances and used zero-day vulnerabilities to infiltrate targets and deploy persistent malware.

Suggested Corrections:
Determining whether cyber attacks are state-sponsored demands a comprehensive approach. While analyzing the networks hosting threat actor infrastructure is a piece of the puzzle, there are other factors to consider like attack methods, victims, and geopolitical context. The murky nature of this threat actor’s identity, combined with the fact that the initial access vector leveraged in this campaign is still unknown, are a cause for continued monitoring of the situation.

While the initial attack vector remains unknown, Cisco recommends that customers apply the software updates listed in their security advisory that address the 3 vulnerabilities discovered as part of their investigation: