Network Security, Endpoint/Device Security, Threat Intelligence

November 4, 2025

(Adobe Stock)

The China-linked threat group Storm-1849 — also known as ArcaneDoor — was reportedly observed targeting vulnerable Cisco ASA firewalls throughout the month of October.

The Record reported on Oct. 31 that Unit 42 researchers from Palo Alto Networks said the Chinese spent October targeting Cisco ASA routers at U.S. financial institutions, defense contractors, and military organizations, with the exception of China’s Golden Week holiday the first week of October.

This activity took place even after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 25 ordered federal agencies to patch two vulnerabilities in Cisco ASA firewalls that were exploited in the wild: CVE-2025-20333, a critical 9.9 remote code execution flaw; and CVE-2025-20362, a medium-severity 6.5 privilege escalation bug.

“This continuous targeting of government, defense, and financial organizations demonstrates that patching disclosures didn’t stop the attacks,” said John Carberry, solution sleuth at Xcape, Inc. “Instead, a slowdown during China’s Golden Week holiday confirmed the attacker’s operational rhythm.”

Carberry said the major concern is the attack’s complexity, which leverages two zero-day vulnerabilities to gain persistence and survive reboots and firmware updates on outdated devices. For security teams, Carberry said a quick patch often isn’t enough. Monitoring and maintenance on devices with known vulnerabilities should also factor into recurring operational tasks.

“If you run unpatched ASA devices, assume they are already backdoored and focus on forensic hunting for ROM-level malware,” said Carberry.

James Maude, Field CTO at BeyondTrust, added that teams need to “keep calm” and patch the two bugs as soon as possible as per last month’s CISA directive. Organizations that have not been able to patch or suspect they may have been targeted should review their Cisco configurations in-depth and ideally reset to factory defaults, resetting passwords, keys and certificates before reconfiguring, said Maude.

“This is because the threat actors are known to modify configurations to capture and exfiltrate network traffic as well as maintain persistence on devices,” said Maude. “Given the role of these devices in not only providing firewall capabilities, but also a level of spam filtering and anti-virus protection, the risk of compromise is significant.”

Jason Soroko, senior fellow at Sectigo, said ASA devices concentrate many security functions in one place, which makes compromise high impact because a single foothold can enable credential theft, traffic inspection, lateral pivoting, and persistence. Soroko said older and end-of-support software trains and internet exposed management interfaces remain the riskiest conditions.

“Security teams should inventory every ASA, record software versions and features in use, and move quickly to the latest supported release or hotfix from the vendor,” said Soroko. “Lock down management by removing internet exposure, restricting access to known jump hosts, enforcing MFA for all remote access and AnyConnect portals, and limiting ASDM and SSH to trusted subnets.”

Other advice from Soroko:

Rotate local and VPN credentials, invalidate active sessions, and replace device certificates. *Forward *full logs to a SIEM and add detections for new or modified local users, unexpected tunnel groups or group policies, ACL or NAT changes, unexplained reboots, and gaps in logging. Segment the management plane on an isolated network, apply strict egress controls from the device to only what is required, and monitor for outbound connections from the firewall itself. *Capture *diagnostics and configuration backups if compromise is suspected; preserve crash files and disk contents, remove unneeded webvpn customizations, rebuild from known good images, and engage vendor and incident response partners.

Get essential knowledge and practical strategies to fortify your network security.

Related

US reportedly proposing ban on TP-Link routers over China ties

SC StaffNovember 3, 2025

The U.S. Commerce Department, the Justice Department, the Department of Homeland Security, and the Department of Defense was reported by The Washington Post to have partnered to propose prohibiting future sales of TP-Link Systems routers, citing national security risks linked to the company’s past connections to China, reports Cybernews.

DDoS attacks ramped up by new Hezi Rash hacktivist operation

SC StaffNovember 3, 2025

HackRead reports that the newly emergent Kurdish hacktivist group Hezi Rash has conducted almost 350 distributed denial-of-service intrusions around the world from August to October, making it more active than other hacktivist operations during the same period.