Cyber-espionage attack targets perimeter devices on energy firm networks
- May 7, 2024
- Michael Nadeau
State-sponsored threat actors are targeting vulnerable internet-connected perimeter devices on networks belonging to critical infrastructure companies including those in the energy industry. Security firm Cisco Talos reports that the intent of the previously unknown threat actor, called UAT4356 by Talos, is consistent with cyber-espionage campaigns from other known state-sponsored groups.
UAT4356 took advantage of two vulnerabilities on the Cisco Adaptive Security Appliance (ASA) to launch its cyber-espionage campaign, which Talos calls ArcaneDoor. Once it achieves access, the threat actor deploys two backdoors that work together to modify configurations, perform reconnaissance, capture network traffic, exfiltrate data, and possibly move to other parts of the network.
Cisco Talos has not attributed the ArcaneDoor campaign to any country but is confident that it is state-sponsored. “Our attribution assessment is based on the victimology, the significant level of tradecraft employed in terms of capability development and anti-forensic measures, and the identification and subsequent chaining together of 0-day vulnerabilities. For these reasons, we assess with high confidence that these actions were performed by a state-sponsored actor,” the report’s authors stated.
Cisco has released critical fixes as well as advice for victims responding to an ArcaneDoor breach.