The recent revelations of cyber infiltrations targeting outer network apparatuses from various suppliers, including Cisco, are suspected to be orchestrated by hackers affiliated with China, as per fresh insights from the surveillance conducted by Censys, a company specializing in monitoring attack surfaces.
Known as ArcaneDoor, these actions are believed to have commenced circa July 2023, with the initial confirmed breach against an undisclosed entity noted in early January 2024.
The directed assaults, purportedly executed by an unidentified, highly sophisticated state-backed entity labeled as UAT4356 (also known as Storm-1849), involved the deployment of two bespoke malware variants named Line Runner and Line Dancer.
Although the initial access route employed to facilitate these intrusions remains undisclosed, the adversary has been observed exploiting two now-remedied vulnerabilities in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to perpetuate Line Runner.
Insights gleaned from telemetry data as part of the probe have indicated the malefactor’s keen interest in Microsoft Exchange servers and network apparatuses from alternate vendors, as per disclosures made by Talos last month.
Further scrutiny by Censys into the IP addresses under the control of the threat actor suggests potential ties to a Chinese-based assailant.
This inference is drawn from the observation that four out of five online hosts presenting SSL certificates linked to the attackers’ infrastructure are associated with Tencent and ChinaNet autonomous systems (AS).
Moreover, among the IP addresses managed by the threat actor is a host located in Paris (212.193.2[.]48) with the subject and issuer designated as “Gozargah,” likely referencing a GitHub account hosting an anti-censorship utility named Marzban.
This software, in turn, is bolstered by another open-source initiative named Xray, with a website predominantly in Chinese.
This indicates that “some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall,” and that “a significant number of these hosts are based in prominent Chinese networks,” suggesting that ArcaneDoor may be attributable to a Chinese actor, as postulated by Censys.
In recent years, nation-state actors linked to China have increasingly focused on perimeter appliances, leveraging undisclosed vulnerabilities in Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate high-value targets and deploy clandestine malware for persistent access.
These developments coincide with Sekoia, a French cybersecurity firm, reporting the successful interception of a command-and-control (C2) server connected to the PlugX trojan in September 2023, achieved through a nominal expenditure of $7 to procure the IP address associated with a variant of the malware capable of propagating via compromised flash drives.
A subsequent analysis of the intercepted IP address (45.142.166[.]112) revealed instances of the worm across more than 170 countries, spanning 2.49 million unique IP addresses over a six-month period, with a majority of infections detected in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia.
“Many nations, excluding India, are participants in China’s Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant,” remarked Sekoia. “Numerous affected countries are located in regions of strategic importance for the security of the Belt and Road Initiative.”
“This worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects.”
