TLDR:
- State-sponsored threat actor exploited Cisco zero-day vulnerabilities in a campaign dubbed “ArcaneDoor.”
- Investigation links the hackers to China through SSL certificate details and anti-censorship tools.
In a recent report by Cisco Talos, hackers targeted Cisco Firewalls using zero-day vulnerabilities to gain unauthorized access and launch cyber attacks. The global campaign, known as “ArcaneDoor,” was attributed to a state-sponsored threat actor named “UAT4356.” The hackers exploited three zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
The investigation also revealed a link to China through SSL certificate details and anti-censorship tools found in the attack. Hosts with related certificates were distributed across Chinese autonomous systems, indicating a wide-reaching operation. The presence of anti-censorship tools like Xray and Marzban further supported the connection to China.
Overall, the report highlights the complex and sophisticated nature of cyber threats involving state-sponsored actors and the importance of analyzing various indicators to identify the origin and motives behind such attacks.