Arcane Door: China Suspected In Network Device Attacks

Arcane Door: China Suspected In Network Device Attacks

Published on May 9th, 2024

Newly surfaced evidence from attack surface management firm Censys suggests that the recent cyber espionage campaign targeting perimeter network devices, including those from Cisco, may have origins linked to China.

Dubbed ArcaneDoor, this covert operation is believed to have begun around July 2023, with the initial confirmed breach detected in early January 2024.

Attributed to a previously unknown and sophisticated state-sponsored actor dubbed UAT4356 or Storm-1849, the attacks involved the deployment of two bespoke malware strains named Line Runner and Line Dancer.

Despite extensive investigation, the precise entry point utilized by the assailants remains undisclosed.

However, it has been noted that the adversaries exploited two now-patched vulnerabilities in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to maintain persistence with Line Runner.

Recent telemetry data, disclosed last month by Talos, indicates the threat actor’s keen interest in Microsoft Exchange servers and network devices manufactured by other vendors.

Further scrutiny by Censys of the IP addresses under the attacker’s control suggests potential ties to China.

This inference is supported by the association of four out of five online hosts presenting SSL certificates with Tencent and ChinaNet autonomous systems (AS).

Of particular note is a host in Paris ( identified with the issuer and subject labeled as “Gozargah,” likely referring to a GitHub repository housing an anti-censorship tool called Marzban.

This software, supported by an open-source project named Xray with a Chinese-language website, hints at the involvement of hosts running anti-censorship services, potentially intended to bypass The Great Firewall.

Censys speculates that ArcaneDoor’s origins could indeed be tied to Chinese actors, given the prevalence of such hosts within prominent Chinese networks.

In recent years, nation-state actors associated with China have increasingly targeted edge appliances, exploiting zero-day vulnerabilities in brands like Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate high-value targets and establish covert access.

In parallel developments, French cybersecurity firm Sekoia announced its successful sinkholing of a command-and-control (C2) server linked to the PlugX trojan in September 2023, achieved by a mere $7 investment to acquire the associated IP address.

The variant of PlugX associated with the server displayed worm-like propagation capabilities through compromised flash drives.

Monitoring of the sinkholed IP address (45.142.166[.]112) revealed infections spanning over 170 countries, with a significant concentration in nations participating in China’s Belt and Road Initiative.

Sekoia suggests that the worm was designed to gather intelligence on strategic and security concerns related to the Initiative, particularly its maritime and economic aspects.