China-Linked Hackers Exploit Misconfigured Cisco Security Products to Deploy Backdoors
China-linked threat actors have been actively exploiting misconfigured Cisco security products to gain persistent access to targeted networks, according to new findings from Cisco. The campaign has been ongoing for several weeks and highlights how insecure configuration choices—not software flaws alone—can expose critical infrastructure to advanced cyber threats.
Cisco is tracking the activity under the identifier UAT-9686, a hacker group assessed to have links to China-based advanced persistent threat (APT) operations. The attackers are abusing an insecure configuration within Cisco AsyncOS, the operating system that powers Cisco’s email and web security appliances, including both physical devices and virtual platforms.
Misconfigured Feature Opens the Door
The issue centers around AsyncOS’s Spam Quarantine feature, which allows administrators to make the quarantine interface accessible over the internet. While this setting is disabled by default, organizations that manually enable external access inadvertently expose their devices to potential compromise.
Cisco warned that threat actors are exploiting this exposed interface to gain unauthorized access and execute commands with root-level privileges on affected appliances.
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco stated in its advisory.
Backdoors and Stealthy Persistence
Once inside a victim environment, the attackers deploy a custom Python-based backdoor known as AquaShell. This implant listens for incoming commands and allows the attackers to execute instructions remotely, effectively granting long-term control over compromised systems.
In addition to AquaShell, Cisco observed the use of multiple auxiliary tools designed to maintain stealth and persistence. These include two tunneling utilities that help the attackers preserve access to infected systems and bypass network restrictions. The group also employs a log-wiping utility called AquaPurge, which removes forensic traces of their activity and complicates incident response efforts.
Timeline and Attribution
Cisco confirmed that the campaign has been active since at least late November, with the company detecting the activity on December 10. Attribution to UAT-9686 is based on tool overlap and operational patterns consistent with other known China-linked threat groups.
Notably, Cisco highlighted that the use of custom web-based implants like AquaShell is becoming increasingly common among highly sophisticated Chinese-nexus APTs, signaling an evolution in tradecraft focused on stealth, persistence, and long-term espionage.
Security Implications
This campaign underscores a recurring security lesson: misconfiguration can be just as dangerous as unpatched vulnerabilities. Organizations running Cisco email and web security appliances are urged to review their AsyncOS configurations, ensure that management and quarantine interfaces are not exposed to the internet, and monitor for signs of compromise.
Cisco has released guidance and indicators of compromise (IOCs) to help defenders detect and mitigate the threat.
No comments:
Post a Comment