CISA Issues Emergency Patching Directive for Cisco Devices on Federal Networks
An emerging cyber threat group is exploiting vulnerabilities in Cisco devices, both the company and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed. The hackers have potential links to China, according to an analysis put out last year.
The CISA has issued an emergency patching directive for federal agencies to address the widespread exploitation of zero-day vulnerabilities on various Cisco Adaptive Security Appliances. This follows a recent surge in hacking activity targeting these devices, with CISA attributing it to a group dubbed ArcaneDoor, also known as Storm-1849.
The group has been linked to a cyber threat intelligence firm, Censys, which released an analysis last year that suggested possible links to China. An industry source further corroborated this claim, stating that the hackers are likely tied to China, but emphasized that CISA is not focused on attributing the activity to a specified nation-state or cybercrime syndicate at this time.
Hundreds of Cisco devices used inside the federal government have been targeted by the hackers. The software flaws allow attackers to gain control of devices without needing a password, and can also change how a device's basic software works to stay hidden even after a restart or update.
Internet routers are particularly vulnerable to these types of attacks, as they often feature remote management interfaces and contain unpatched software vulnerabilities. These openings offer attackers a pathway to intercept traffic, pilfer credentials, or penetrate further into systems.
Patching Deadline Set by CISA
CISA has set an aggressive patching deadline for federal agencies: all devices must be patched by the end of day Friday. Additionally, by October 3, all agencies must provide CISA with an inventory of relevant products to show that the fixes have been made.
Threat Hunting Instructions Issued
CISA has also provided threat hunting instructions to agencies, urging them to detect and respond quickly to potential ArcaneDoor activity. The agency's chief information officer, Bob Costello, emphasized the importance of timely remediation in a recent briefing.
"As soon as these vulnerabilities are released to the threat actor, we believe the threat actor will likely try to pivot and change tactics. So we think it’s really important for our organizations to try to detect that threat actor activity as quickly as possible," Costello said.
Escalating Attacks Expected
According to Sam Rubin, senior vice president for the Unit 42 threat intelligence arm at Palo Alto Networks, attacks are likely to escalate once patches are available. "As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities," he added.
Critical Infrastructure Targets
Butera also confirmed that the hackers involved in the breach have targeted critical infrastructure owners and operators. This adds an extra layer of concern for agencies, which must now prioritize patching not only their own systems but also those of third-party providers.
A Second Emergency Directive Issued by CISA
This directive is the second emergency patching order issued by CISA in the second Trump administration. The first was issued in August for Microsoft Exchange devices.