Changelog: ArcaneDoor campaign targets Cisco devices

Massimo Botturi / Unsplash

Welcome to Changelog for 4/25/2024, published by Synack! README senior editor Nathaniel Mott here with all the doom and gloom you need this fine Spring day.

The payload

Cisco Talos revealed on April 24 a campaign it’s dubbed “ArcaneDoor” in which “a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center” was said to have “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted”—those being “perimeter network devices” from Cisco, Microsoft and other vendors—which Talos called “hallmarks of a sophisticated state-sponsored actor.”

Cisco has identified three vulnerabilities related to ArcaneDoor: CVE-2024-20353 and CVE-2024-20359, both of which are known to have been actively exploited, and CVE-2024-20358. Talos said it has “been unable to identify the initial attack vector,” though, so the number of Cisco-related vulns associated with the campaign might continue to grow. Talos also said “network telemetry and information from intelligence partners indicate the actor is interested in—and potentially attacking—network devices from Microsoft and other vendors” so we might end up seeing a few reports from those companies as well.

Talos said it believes UAT4356 started “developing and testing” the attacks used in ArcaneDoor around July 2023 before standing up its infrastructure and performing “some activity” in December 2023. Activity was first confirmed in January, more compromised devices were found in February and then patches for the associated CVEs were released in “late March / early April.” Talos said it received assistance in its investigation from government organizations in the U.S., U.K., Canada and Australia as well as the Microsoft Threat Intelligence Center and Black Lotus Labs at Lumen Technologies.

As for ArcaneDoor’s targets: Talos said all of the victims “involved government networks globally.” It didn’t say which governments, but I’d probably start my guessing with the four countries listed above. The group also didn’t publicly attribute the activity to a particular country, although Wired reported that “sources familiar with the investigation” said it “appears to be aligned with China's state interests.” (Which based on the near-constant reports of Chinese espionage from countries around the world appear to include “spying on pretty much every government that isn’t called the People’s Republic of China.”)

This would also fit China’s style. Recorded Future reported in November 2023 that China-linked adversaries have become increasingly fond of targeting “public-facing security and network appliances” like the ones exploited as part of this campaign. Chinese threat actors aren’t alone in this—we reported in July 2023 that attackers seemed to have renewed interest in compromising edge devices, which have proven difficult to defend, especially since organizations typically have very little visibility into what’s happening on the perimeters of their networks—but they do seem to be particularly fond of these targets.

None of which is likely to comfort organizations targeted in campaigns like ArcaneDoor. So far it seems like Cisco will be able to patch its way to better security, which puts its customers in a better position than the Barracuda users who had to remove the company’s email security gateway appliances from their networks entirely in June 2023, but that might change after the initial attack vector is discovered. And it’s not like the alternatives fare much better—are Cisco users supposed to switch to Ivanti? Juniper Networks? Fortinet? Palo Alto Networks? They’re going to be “living on the edge,” as it were, no matter what.

The week, compiled

Here’s some of the week’s leading security news:

Mandiant: M-Trends 2024 arrived on April 23. The annual report summarizes Mandiant’s observations from throughout 2023, including how long hackers tend to dwell on networks, what kinds of malware they’re using, etc. If you don’t feel like giving your contact information to Google Cloud (which owns Mandiant) you can find the full report here. Just don’t tell anyone I sent you. Mandiant also published “Poll Vaulting: Cyber Threats to Global Elections” today, which you can find on the Google Cloud website.

BleepingComputer: It turns out using antivirus software to distribute malware is about as amusing as it is effective. Avast said this week that eScan’s update mechanisms—which transferred data via HTTP and apparently didn’t require updates to be signed—have been used by North Korean hackers “to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware.”

Ars Technica: Microsoft revealed on April 22 that “Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool.” Ars Technica noted that although the vuln was patched in 2022, Microsoft didn’t say and, in fact, still hasn’t said anything in the associated advisory about it being actively exploited.

A message from Synack

Going to RSA? While at RSA, stop by Synack’s “Journey to Secure the Future” experience at Fogo de Chão – across the street from the Moscone Convention Center. Come meet with emerging cybersecurity companies, attend our Woman in Cyber Executive Panel discussion, watch a live demo of the Synack Platform or explore one of the many cosmic parties that’ll feature drinks, food and music that’s out of this world. Click here for a full list of events.

Local files

CyberScoop: The naming and shaming of foreign adversaries continued this week as the Departments of Justice, State and the Treasury accused four Iranians “of participating in hacking operations that targeted the U.S. Treasury and State departments, defense contractors and two New York-based companies on behalf of the Iranian Islamic Revolutionary Guard Corps” between 2016 and 2021.

The Record: A ransomware attack is about to ruin Sweden’s weekend. The Record reported on April 24 that “a ransomware attack on a Swedish logistics company has prompted warnings from the country’s sole liquor retailer that its top shelves in stores around the country may be empty by the end of the week.” 

Directions: Microsoft’s pillorying continued this week as long-time reporter Mary Jo Foley argued that it “must stop selling security as a premium offering” to improve the security of its customers and its public image. (Which is an understatement, given that it was called a national security threat this week, in addition to already having been chastised by the Cyber Safety Review Board and Wired.)

Off-script

I don’t have the heart to continue writing about the TikTok ban now that it’s been passed and signed by President Joe Biden. (Whose campaign, somewhat hypocritically, will continue to use the platform.) I’d rather make note of what strikes me as a positive change: Tinder’s new “Share My Date” feature.

good-faces-agency-3vy3c4rK5o4-unsplash

Good Faces Agency / Unsplash

TechCrunch reported on April 22 that Tinder users “will now be able to send a link that includes details about the upcoming date, including the match’s name, meeting location, date, and time.” Many people already share this kind of information with someone they trust before they meet up with a stranger, but it’s nice to see Tinder officially support the practice and simultaneously make it more convenient than before.

I’m sure that someone will find a way to abuse this feature and that Tinder has some flaws that I’m not aware of. That’s how things usually go. But I figure it’s worth taking a moment to savor the small victories making people at least a little bit safer. Hopefully similar apps follow suit.