The company revealed China's involvement in espionage and hacker tools.
Censys has revealed information about a new ArcaneDoor cyber espionage campaign allegedly linked to China. It is reported that the attacks began in July 2023, and the first attack was recorded in January 2024.
The attacks were carried out by the UAT4356 group (Storm-1849), which used two types of malware: Line Runner and Line Dancer. The programs were implemented through vulnerabilities in Cisco Adaptive Security Appliances that were already fixed by developers ( CVE-2024-20353 with a CVSS rating of 8.6 and CVE-2024-20359 with a CVSS rating of 6.0).
As part of the study, it was found that attackers showed interest in Microsoft Exchange servers and devices from other manufacturers. After analyzing the hackers IP addresses, Censys noted that China may be present here. 4 out of 5 hosts that use SSL certificates associated with the attackers infrastructure are located on the Tencent and ChinaNet networks.
Found hosts
In addition, one of the hosts is located in Paris and is associated with the anti-censorship tool Marzban. Given that Marzban was developed by Chinese developers, it is obvious that it was created to bypass the Great Firewall of China (Great Firewall, Golden Shield).
Determining whether cyber attacks are sponsored by the Chinese authorities requires a comprehensive approach. While analyzing the networks that host hackers infrastructure is part of the puzzle, there are other factors to consider, such as attack methods, victims, and the geopolitical context. It is likely that the experts ' investigation will continue as they receive more detailed information about the targets of the attacks.
Earlier, Cisco warned that Adaptive Security Appliances, which combine a firewall, VPN and other security components, were compromised by a hacker group, apparently associated with one of the unfriendly states. Hackers took advantage of two previously unknown vulnerabilities in Cisco products to gain access to government facilities around the world. The cyberattack was called ArcaneDoor.
Censys has revealed information about a new ArcaneDoor cyber espionage campaign allegedly linked to China. It is reported that the attacks began in July 2023, and the first attack was recorded in January 2024.
The attacks were carried out by the UAT4356 group (Storm-1849), which used two types of malware: Line Runner and Line Dancer. The programs were implemented through vulnerabilities in Cisco Adaptive Security Appliances that were already fixed by developers ( CVE-2024-20353 with a CVSS rating of 8.6 and CVE-2024-20359 with a CVSS rating of 6.0).
As part of the study, it was found that attackers showed interest in Microsoft Exchange servers and devices from other manufacturers. After analyzing the hackers IP addresses, Censys noted that China may be present here. 4 out of 5 hosts that use SSL certificates associated with the attackers infrastructure are located on the Tencent and ChinaNet networks.
Found hosts
In addition, one of the hosts is located in Paris and is associated with the anti-censorship tool Marzban. Given that Marzban was developed by Chinese developers, it is obvious that it was created to bypass the Great Firewall of China (Great Firewall, Golden Shield).
Determining whether cyber attacks are sponsored by the Chinese authorities requires a comprehensive approach. While analyzing the networks that host hackers infrastructure is part of the puzzle, there are other factors to consider, such as attack methods, victims, and the geopolitical context. It is likely that the experts ' investigation will continue as they receive more detailed information about the targets of the attacks.
Earlier, Cisco warned that Adaptive Security Appliances, which combine a firewall, VPN and other security components, were compromised by a hacker group, apparently associated with one of the unfriendly states. Hackers took advantage of two previously unknown vulnerabilities in Cisco products to gain access to government facilities around the world. The cyberattack was called ArcaneDoor.
