Cisco Discloses Cyber Attack on Government Networks

Cisco Systems has revealed that hackers managed to exploit vulnerabilities in its digital security devices, gaining unauthorized access to government networks worldwide. The breach, attributed to a group identified as “UAT4356,” targeted Cisco’s Adaptive Security Appliances, which integrate multiple digital defense functions.
Cisco networking businessCisco is a major player in the global Security Appliance Market with 10.9 percent share in Q4 2023, according to IDC report. The size of the security appliance market is $4.96 billion in 2023 and Palo Alto Networks is the leader with 18.2 percent share.

Cisco Systems, the leading networking supplier to top enterprises and government agencies, in a blog post, revealed that investigation conducted by Cisco identified compromises in government networks across different countries. Cisco Systems has already patched the vulnerabilities exploited in these cyber attacks.

Cisco has urged its customers to update their software to mitigate the risk of further exploitation. However, specific details regarding the impacted networks and the extent of the breaches were not disclosed by the company.

The incident underscores the growing trend of targeting security equipment like routers, which are often positioned at the perimeter of networks, making them challenging to monitor. Cisco’s warning also highlighted potential threats to network devices from other vendors, including Microsoft, although Microsoft has yet to comment on the matter.

In light of these developments, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert regarding the Cisco vulnerabilities, emphasizing the importance of vigilance and prompt action to safeguard against such cyber threats. However, CISA stated that it had not confirmed evidence of these activities impacting U.S. government networks at the present time, Reuters news report said.

How it attacks

The campaign, dubbed ArcaneDoor, underscores a troubling trend of increased targeting of perimeter network devices, particularly in sectors vital to national infrastructure such as telecommunications and energy. These sectors are deemed strategic targets for foreign governments, highlighting the gravity of the threat posed by state-sponsored cyber espionage.

Drawing on its position as a leader in network infrastructure, Cisco’s Talos Intelligence and Interdiction team has spearheaded efforts to investigate and mitigate the ArcaneDoor campaign. A collaborative effort involving Cisco’s Product Security Incident Response Team (PSIRT) and external intelligence partners led to the identification of the threat actor, now known as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center.

The sophisticated nature of the campaign became apparent as investigators uncovered two distinct backdoors, “Line Runner” and “Line Dancer,” employed by the attackers to manipulate configurations, conduct reconnaissance, capture and exfiltrate network traffic, and potentially facilitate lateral movement within targeted networks.

Cisco has issued critical fixes addressing vulnerabilities exploited by the attackers, urging customers to adhere to recommended security advisories. Despite efforts to pinpoint the initial attack vector, two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have been identified, underscoring the imperative for prompt action to fortify network defenses.

Moreover, Cisco emphasizes the broader risk posed to network devices from multiple vendors, urging stakeholders to implement robust security measures, including centralized logging and multi-factor authentication (MFA), irrespective of equipment provider.

The timeline of the ArcaneDoor campaign traces back to early 2024 when suspicious activity was first detected on Cisco Adaptive Security Appliances (ASA) devices. Subsequent investigations revealed a broader scope, with government networks globally affected. Actor-controlled infrastructure dating back to November 2023 was identified, with peak activity occurring between December 2023 and January 2024, suggesting a prolonged and concerted effort by the threat actor.

Baburajan Kizhakedath

Related News

Latest News

Latest News