China-linked hackers have been using misconfigured Cisco security products to deploy backdoors on target networks for at least the past several weeks.
The hacker group, which Cisco tracks as UAT-9686, has been taking advantage of an insecure setting in Cisco’s AsyncOS software, which powers the company’s email and web security devices and virtual platforms, Cisco said .
AsyncOS allows users to enable a Spam Quarantine feature and make it accessible over the internet. That configuration is not the default, but users who manually change it risk exposing their devices to intrusions.
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said.
After breaking into victim networks, the China-linked hackers plant a Python backdoor called AquaShell that listens for and executes their commands. Cisco also identified other tools used in the campaign, including two tunneling tools that the hackers use to maintain their connections to victim machines, and a log-clearing tool, dubbed AquaPurge, that erases evidence of the hackers’ activity.
Cisco said the campaign “has been ongoing since at least late November,” with the company discovering it on Dec. 10.
The company attributed the operation to UAT-9686 based on the hackers’ use of tools that have also appeared in other notable China-linked groups’ attacks. In addition, Cisco said, “the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.”
