The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch Cisco devices that have been exploited by an advanced hacker group, it said in a Thursday alert.
The hacking activity targeting the devices “is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution” on various Cisco Adaptive Security Appliances, CISA said. A “zero-day” refers to a software flaw that’s being exploited but has not been previously discovered, giving developers zero days to fix it.
The activity has been linked to a hacking entity dubbed ArcaneDoor, Cisco said in its own blog post. The group, also known as Storm-1849, has possible links to China, according to an analysis released last year by cyber threat intelligence firm Censys. The Censys analysis was released following previous ArcaneDoor hacking activity reported early last year.
The software flaws allow hackers to gain control of devices without needing a password. Cyber intruders can also change how a given device’s basic software works so they can stay hidden even after the targeted device restarts or updates.
Internet routers are frequently targeted by hackers because they bridge internal networks and the public web. These devices often feature remote management interfaces and contain unpatched software vulnerabilities. Those openings offer attackers a pathway to intercept traffic, pilfer credentials or penetrate further into systems.
Agencies must implement patching by the end of day Friday. By October 3, all agencies must also provide CISA an inventory of relevant products to show the fixes have been made. CISA has also provided threat hunting instructions to agencies.
The group has been observed targeting organizations around the world but has recently refocused its efforts on entities in the United States, Sam Rubin, senior vice president for the Unit 42 threat intelligence arm at Palo Alto Networks, told Nextgov/FCW.
“As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities,” he added.
The directive is the second patching order issued by CISA in the second Trump administration. In August, an emergency directive was put out for Microsoft Exchange devices.
