ArcaneDoor Hackers Who Exploited Cisco Firewall Zero-Days Linked To China

Hackers target Cisco Firewalls due to their widespread use and the potential to exploit vulnerabilities to gain unauthorized access, steal data, and launch cyber attacks.

Cisco Talos recently reported on a global campaign dubbed “ArcaneDoor” by a previously unknown state-sponsored threat actor, “UAT4356”. 

The campaign targeted government-owned perimeter network devices from various vendors.

Talos discovered the actor’s infrastructure was established in late 2023, with initial activity detected in early January 2024.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The investigation uncovered three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that were exploited as part of the attack chain:-

While the initial access vector remains unknown. The cybersecurity analysts at Censys recently discovered that ArcaneDoor hackers who exploited Cisco Firewall zero-days were linked to China.

In the study of what Cisco Talos refers to as the “ArcaneDoor” campaign, the threat actor UAT4356 undeniably made a few mistakes. 

For one thing, their SSL certificate issuer and subject names contained a pattern that seems to be related to the OpenConnect VPN Server that might have been used for initial access. 

A few hosts had this certificate — some of them were running Cisco ASA software, which matched what Talos said.

Yet these hosts were distributed across Chinese autonomous systems like Tencent and ChinaNet, which shows they are part of an advanced worldwide operation. 

What’s more interesting is that 11 out of 22 IPs given by Talos still showed signs of life after being taken control of potentially by the actors themselves, which means ongoing activities are happening in those areas.

These hosts are concentrated in the following networks:-

  • TSRDC-AS-AP Truxgo S. R.L. de C.V

Various anti-censorship tools such as Xray and Marzban were discovered when they pivoted on interesting certificate details.

These were believed to have been created by Chinese groups for the purpose of bypassing the Great Firewall.

Talos-identified indicators were compared with Censys data which showed that these services are being run through infrastructure under the control of actors, with a significant number—about 4,800—using the Gozargah certificate name across different IPs most commonly associated with this project located on ports like 62050/62051.

One host had an HTTP panel called “Trojan Panel,” which is related to a Chinese scheme that supports various tools for evading detection, including Xray, among others.

Trojan Panel (Source – Censys)

When studying actor-operated IPs and certificate fingerprints, it became clear that this campaign may have been launched by a Chinese actor. Figuring out the state sponsor requires analyzing the attack methods, victims, and context together.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.