Which state sponsors the new campaign and what vulnerabilities help hackers?
Network security features, such as firewalls, are designed to protect corporate networks from hacking. But as it turns out, cybercriminals are increasingly turning these systems against their owners, using them as springboards to break into vulnerable networks.
On Wednesday, Cisco warned that its Adaptive Security Appliances, which combine a firewall, VPN and other security components, were compromised by a hacker group apparently linked to one of the unfriendly states. Hackers took advantage of two previously unknown vulnerabilities in Cisco products to gain access to government facilities around the world. The cyberattack was called ArcaneDoor .
The hacker group, which the Talos cybersecurity division calls UAT4356, and the Microsoft experts involved in the investigation - STORM-1849, has not previously been associated with any known incident. However, judging by its professionalism and focus on cyber espionage, Cisco concludes that a state sponsor is behind it.
According to experts, malicious activity began in November 2023, but the peak occurred in December-January 2024, when the first victim was identified. "Further investigation revealed other cases of hacking, all involving government networks in different countries," the report says.
The first vulnerability, called Line Dancer, allowed malicious code to be embedded in the memory of firewalls, allowing them to execute commands on these systems, intercept network traffic, and steal confidential data. The second issue, Line Runner, ensured that access was preserved even after rebooting or updating compromised devices.
Cisco itself does not name the country involved in the attacks. However, knowledgeable sources say that this campaign seems to be in China's best interests.
Cisco has released updates to address these vulnerabilities and recommends that customers install them as soon as possible. The manufacturer also offers a set of measures to identify possible traces of hacking. Meanwhile, the UK's National Cyber Security Center notes that physically disconnecting ASA devices from the power supply allows hackers to restrict access to the system, despite the fact that they usually implement the Line Runner mechanism to maintain their presence.
Experts are sounding the alarm - over the past two years, they have seen a sharp and steady increase in attacks on perimeter cybersecurity systems in vital industries such as telecommunications and energy. Penetration into such infrastructure facilities is of serious interest to many aggressor states.
This alarming trend of attacks on edge network systems has become so significant that Google's Mandiant analysts have highlighted it in their annual M-Trends cyber threat report. The document, in particular, mentions vulnerabilities widely used by hackers last year in the products of Barracuda and Ivanti companies.
Network security features, such as firewalls, are designed to protect corporate networks from hacking. But as it turns out, cybercriminals are increasingly turning these systems against their owners, using them as springboards to break into vulnerable networks.
On Wednesday, Cisco warned that its Adaptive Security Appliances, which combine a firewall, VPN and other security components, were compromised by a hacker group apparently linked to one of the unfriendly states. Hackers took advantage of two previously unknown vulnerabilities in Cisco products to gain access to government facilities around the world. The cyberattack was called ArcaneDoor .
The hacker group, which the Talos cybersecurity division calls UAT4356, and the Microsoft experts involved in the investigation - STORM-1849, has not previously been associated with any known incident. However, judging by its professionalism and focus on cyber espionage, Cisco concludes that a state sponsor is behind it.
According to experts, malicious activity began in November 2023, but the peak occurred in December-January 2024, when the first victim was identified. "Further investigation revealed other cases of hacking, all involving government networks in different countries," the report says.
The first vulnerability, called Line Dancer, allowed malicious code to be embedded in the memory of firewalls, allowing them to execute commands on these systems, intercept network traffic, and steal confidential data. The second issue, Line Runner, ensured that access was preserved even after rebooting or updating compromised devices.
Cisco itself does not name the country involved in the attacks. However, knowledgeable sources say that this campaign seems to be in China's best interests.
Cisco has released updates to address these vulnerabilities and recommends that customers install them as soon as possible. The manufacturer also offers a set of measures to identify possible traces of hacking. Meanwhile, the UK's National Cyber Security Center notes that physically disconnecting ASA devices from the power supply allows hackers to restrict access to the system, despite the fact that they usually implement the Line Runner mechanism to maintain their presence.
Experts are sounding the alarm - over the past two years, they have seen a sharp and steady increase in attacks on perimeter cybersecurity systems in vital industries such as telecommunications and energy. Penetration into such infrastructure facilities is of serious interest to many aggressor states.
This alarming trend of attacks on edge network systems has become so significant that Google's Mandiant analysts have highlighted it in their annual M-Trends cyber threat report. The document, in particular, mentions vulnerabilities widely used by hackers last year in the products of Barracuda and Ivanti companies.
