May 06, 2024NewsroomNetwork Security / Malware

The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys.

Dubbed ArcaneDoor, the activity is said to have commenced around July 2023, with the first confirmed attack against an unnamed victim detected in early January 2024.

The targeted attacks, orchestrated by a previously undocumented suspected sophisticated state-sponsored actor tracked as UAT4356 (aka Storm-1849), entailed the deployment of two custom malware dubbed Line Runner and Line Dancer.

The initial access pathway used to facilitate the intrusions has yet to be discovered, although the adversary has been observed leveraging two now-patched flaws in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to persist Line Runner.

Telemetry data gathered as part of the investigation has revealed the threat actor’s interest in Microsoft Exchange servers and network devices from other vendors, Talos said last month.

Censys, which further examined the actor-controlled IP addresses, said the attacks point to the potential involvement of a threat actor based in China.

This is based on the fact that four of the five online hosts presenting the SSL certificate identified as associated with the attackers’ infrastructure are associated with Tencent and ChinaNet autonomous systems (AS).

In addition, among the threat actor-managed IP addresses is a Paris-based host (212.193.2[.]48) with the subject and issuer set as “Gozargah,” which is likely a reference to a GitHub account that hosts an anti-censorship tool named Marzban.

The software, in turn, is “powered” by another open-source project dubbed Xray that has a website written in Chinese.

This implies that “some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall,” and that “a significant number of these hosts are based in prominent Chinese networks,” suggesting that ArcaneDoor could be the work of a Chinese actor, Censys theorized.

Nation-state actors affiliated with China have increasingly targeted edge appliances in recent years, leveraging zero-day flaws in Barracuda Networks, Fortinet, Ivanti, and VMware to infiltrate targets of interest and deploy malware for persistent covert access.

The development comes as French cybersecurity firm Sekoia said it successfully sinkholed a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address tied to a variant of the malware with capabilities to propagate in a worm-like fashion via compromised flash drives.

A closer monitoring of the sinkholed IP address (45.142.166[.]112) has revealed the worm’s presence in more than 170 countries spanning 2.49 million unique IP addresses over a six-month period. A majority of the infections have been detected in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia.

“Many nations, excluding India, are participants in China’s Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant,” Sekoia said. “Numerous affected countries are located in regions of strategic importance for the security of the Belt and Road Initiative.”

“This worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects.”