Priya PatelTLDR:
- Hackers are exploiting Cisco zero-days to attack government networks.
- ArcaneDoor campaign supported by state-sponsored actors aims at spying on perimeter network devices.
Summary:
Hackers have been targeting Cisco zero-days to exploit vulnerabilities in widely used networking equipment, impacting numerous systems and networks simultaneously. The ArcaneDoor campaign, backed by state-sponsored actors, focuses on compromising perimeter network devices to spy on valuable network data. Cisco Talos Intelligence uncovered the exploitation of Cisco zero-days by ArcaneDoor to attack government networks. The attackers deployed specialized trojans to make configuration changes, exfiltrate data, and move laterally within systems discreetly. The threat actor, identified as UAT4356/STORM-1849, implanted custom malware and ran commands on customer networks, utilizing CVE-2024-20353 and CVE-2024-20359 vulnerabilities. Cisco recommends organizations to detect and prevent this campaign by upgrading to patched versions, monitoring for indicators of compromise, and using Snort signatures to identify malicious behaviors. They provided indicators of compromise (IoCs) for actor-controlled and multi-tenant infrastructures involved in the attacks.
