The recently disclosed cyber espionage effort targeting perimeter network devices from numerous vendors, including Cisco, may have been the work of China-linked criminals, according to fresh data from attack surface management firm Censys.
Dubbed ArcaneDoor, the activity is reported to have began around July 2023, with the first confirmed attack on an unknown victim detected in early January 2024.
The targeted attacks, organized by a hitherto unrecorded alleged sophisticated state-sponsored actor tagged as UAT4356 (aka Storm-1849), comprised the introduction of two unique viruses called Line Runner and Line Dancer.
The initial access pathway used to allow the incursions has yet to be established, while the attacker has been detected utilizing two now-patched weaknesses in Cisco Adaptive Security Appliances (CVE-2024-20353 and CVE-2024-20359) to persist Line Runner.
Telemetry data acquired as part of the investigation has shown the threat actor's interest in Microsoft Exchange servers and network devices from other manufacturers, Talos reported last month.
Censys, which further studied the actor-controlled IP addresses, said the attacks suggest to the likely involvement of a threat actor based in China.
This is predicated on the fact that four of the five internet hosts providing the SSL certificate identified as related with the attackers' infrastructure are associated with Tencent and ChinaNet autonomous systems (AS).
In addition, among the threat actor-managed IP addresses is a Paris-based server (212.193.2[.]48) with the topic and issuer set as "Gozargah," which is presumably a reference to a GitHub account that hosts an anti-censorship program named Marzban.
The software, in turn, is "powered" by another open-source project termed Xray that includes a webpage written in Chinese.
This implies that "some of these hosts were running services associated with anti-censorship software likely intended to circumvent The Great Firewall," and that "a significant number of these hosts are based in prominent Chinese networks," suggesting that ArcaneDoor could be the work of a Chinese actor, Censys theorized.
Nation-state actors connected with China have increasingly targeted edge appliances in recent years, utilizing zero-day holes in Barracuda Networks, Fortinet, Ivanti, and VMware to enter targets of interest and distribute malware for persistent covert access.
The development comes as French cybersecurity firm Sekoia said it successfully sinkholed a command-and-control (C2) server linked to the PlugX trojan in September 2023 by spending $7 to acquire the IP address tied to a variant of the malware with capabilities to propagate in a worm-like fashion via compromised flash drives.
A closer monitoring of the sinkholed IP address (45.142.166[.]112) has revealed the worm's presence in more than 170 countries encompassing 2.49 million unique IP addresses over a six-month period. A majority of the infections have been found in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia.
"Many nations, excluding India, are participants in China's Belt and Road Initiative and have, for most of them, coastlines where Chinese infrastructure investments are significant," Sekoia added. "Numerous affected countries are located in regions of strategic importance for the security of the Belt and Road Initiative."
"This worm was developed to collect intelligence in various countries about the strategic and security concerns associated with the Belt and Road Initiative, mostly on its maritime and economic aspects."
