Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor, which may have ties with China.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive asking federal agencies to take immediate action to identify and mitigate system vulnerabilities to protect their devices from a major hacking campaign, the agency said in a Sept. 25 statement.
“This widespread campaign poses a significant risk to victims’ networks by exploiting zero-day vulnerabilities that persist through reboots and system upgrades,” CISA said.
Zero-day vulnerabilities refer to unknown or unaddressed security flaws in computer hardware, firmware, or software. Such vulnerabilities are called “zero-day” since the software or device with such flaws has zero days to fix the issue, thus enabling hackers to immediately exploit them.
According to the directive, Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor.
A May 2024 post by computer and network security company Censys said an investigation of IPs controlled by ArcaneDoor suggested “the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”
Four out of five IP hosts analyzed by Censys were found to be in China, with some linked to Chinese conglomerate Tencent and Chinese telecom company ChinaNet.
“Networks like Tencent and ChinaNet have extensive reach and resources, so they would make sense as an infrastructure choice for a sophisticated global operation like this one,” Censys said in its post.
In a Sept. 25 statement, Cisco said it had been engaged by multiple government agencies in May to provide support to an investigation into attacks targeting the company’s ASA devices.
The company said it has “high confidence” that the hacking activity was related to ArcaneDoor.
“Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor’s attack chain and strongly recommends that all customers upgrade to fixed software releases,” the company said.
