US Cyber Agency Issues Emergency Directive Amid Major Hacking Campaign Targeting Cisco

Authored by Naveen Athrappully via The Epoch Times (emphasis ours),

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive asking federal agencies to take immediate action to identify and mitigate system vulnerabilities to protect their devices from a major hacking campaign, the agency said in a Sept. 25 statement.

“This widespread campaign poses a significant risk to victims’ networks by exploiting zero-day vulnerabilities that persist through reboots and system upgrades,” CISA said.

Zero-day vulnerabilities refer to unknown or unaddressed security flaws in computer hardware, firmware, or software. Such vulnerabilities are called “zero-day” since the software or device with such flaws has zero days to fix the issue, thus enabling hackers to immediately exploit them.

According to the directive, Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor.

A May 2024 post by computer and network security company Censys said an investigation of IPs controlled by ArcaneDoor suggested “the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”

Four out of five IP hosts analyzed by Censys were found to be in China, with some linked to Chinese conglomerate Tencent and Chinese telecom company ChinaNet.

“Networks like Tencent and ChinaNet have extensive reach and resources, so they would make sense as an infrastructure choice for a sophisticated global operation like this one,” Censys said in its post.

In a Sept. 25 statement, Cisco said it had been engaged by multiple government agencies in May to provide support to an investigation into attacks targeting the company’s ASA devices.

The company said it has “high confidence” that the hacking activity was related to ArcaneDoor.

“Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor’s attack chain and strongly recommends that all customers upgrade to fixed software releases,” the company said.

The CISA directive comes as Chris Butera, the agency’s acting deputy executive assistant director for cyber, discussed helping organizations tackle the growing number of vulnerabilities during a Sept. 25 panel discussion held by media company FedScoop.

Butera discussed the Known Exploited Vulnerabilities (KEV) catalog CISA uses to prioritize system vulnerabilities that require patching.

“The number of vulnerabilities that have been published has increased to over 40,000 last year. And so for any organization to try to track and patch against 40,000 different vulnerabilities within their IT ecosystem is a very complex challenge,” he said.

“We have to do a lot more with automation, and I think that’s where maybe AI can come in and help with some of the automation pieces.

“In the federal space, we’ve had great results, with over 99 percent of the KEVs that are internet-facing being patched quickly by our federal agencies.”

Exploiting CISCO Devices

CISA’s emergency directive was issued due to the threat actor targeting Cisco Adaptive Security Appliances (ASA).

Cisco ASA is a family of firewall security devices that offers users “highly secure access to data and network resources,” according to the Cisco website. Vulnerabilities on ASA devices can allow malicious actors to access user data.

In the directive, CISA asked federal agencies to account for all Cisco ASA and Firepower devices, collect forensic data, and analyze any compromises using procedures and tools provided by CISA.

Agencies are required to “disconnect end-of-support devices and upgrade those that will remain in service by 11:59 PM EST on September 26, 2025,” the statement said.

End-of-support devices are those that continue to be used by agencies but no longer receive direct support or security updates from their manufacturers.

“As the lead for federal cybersecurity, CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” said CISA Acting Director Madhu Gottumukkala.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this Emergency Directive.”

According to the directive, agencies are required to report to CISA a full inventory of all affected products, including details regarding the actions taken and the results of such actions. This must be done by Oct. 2.

This is the second emergency directive issued under the Trump administration, CISA said. In August, the agency issued an emergency directive for agencies to update their systems to prevent vulnerabilities in Microsoft Exchange.