Rewterz Threat Update – Joint Warning: US and Japan Raise Concerns About Chinese Hackers Backdooring Cisco Routers

Severity

High

Analysis Summary

Cybersecurity and law enforcement agencies of the US and Japan have issued a warning for the Chinese-origin group “BlackTech” that has been breaching network devices of corporate networks in order to install custom backdoors to access them.

This joint report was published recently by the FBI, NSA, CISA and the Japanese NPA and NISC to explain in detail about the state-sponsored hacking campaign that is compromising network devices of international companies to pivot to the networks of corporate headquarters.

BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-backed APT group of Chinese origin which is infamous for carrying out cyber espionage attacks on various countries, notably Japan, Hong Kong, and Taiwan. This group has been active since at least 2010 and mainly targets the government, technology, industrial, media, telecommunication, electronics, and defense sectors.

The cybersecurity experts warn that the BlackTech threat actors regularly update their custom malware they use for backdooring network devices, which helps in establishing persistence, initial access to networks, and stealing sensitive data by redirecting traffic to the actor-controlled servers.

Usually, custom malware is signed using stolen certificates for code-signing, which makes it difficult to detect by security software. The hackers are able to compromise a wide range of router brands, versions, and models by using stolen admin credentials to establish persistence and move on the network laterally.

“BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.” the report explains. “Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.”

The threat actors are able to hide changes in configuration and history of executed commands using the modified firmware. This way, they can deactivate logging on hacked devices during the time they perform malicious operations.

The researchers have noticed that the threat actors enable/disable a SSH backdoor by sending specially crafted TCP or UDP packets to Cisco devices. Through this method, they are able to avoid detection and only enable the backdoor when they deem it necessary.

The attackers are also capable of patching the memory of Cisco devices so they can bypass the signature validation functions of Cisco ROM Monitor. This method allows the hackers to enable unlogged access to the device by loading modified firmware that is pre-installed with the backdoors.

Creating and using custom malware in their attacks is usual for BlackTech APT group. They’re also known to compromise vulnerable routers to use them as C2 servers. Network admins are highly recommended to install security patches on their devices as soon as they’re available.

The advisory recommends vigilant monitoring by system administrators to detect potential threats, such as unauthorized downloads of bootloader and firmware images, as well as unusual device reboots that may signal the installation of modified firmware on routers. Suspicious SSH traffic on routers should be treated with caution. To mitigate these risks, administrators are advised to employ practices like using the “transport output none” command to prevent unwanted external connections, closely overseeing inbound and outbound traffic, limiting network administrator access to specific IP addresses, and promptly changing passwords and keys in case of a suspected breach. Additionally, they should regularly scrutinize logs for anomalies, apply the Network Device Integrity (NDI) Methodology to detect unauthorized changes, and routinely compare boot records and firmware to trusted versions. Cisco notes that the attack method involving firmware downgrades primarily affects older, legacy products and emphasizes the importance of keeping edge network devices up to date with security patches. This advisory comes in light of increased targeting of network devices by various threat actors, highlighting the vulnerability of devices that lack Endpoint Detection and Response (EDR) solutions. Consequently, network administrators should prioritize security patch installations and avoid exposing management consoles to the public.

Impact

• Espionage
• Sensitive Data Theft

Remediation

• Promptly update your passwords across all of your online accounts. Utilize a robust password generator to fortify the security of your accounts.
• Prompt all users to change their passwords, especially if their credentials were exposed. Encourage the use of strong, unique passwords.
• Implement 2FA or multi-factor authentication to add an additional layer of security for user accounts.
• Exercise caution with incoming spam emails, unsolicited text messages, and phishing attempts.
• Avoid interacting with any suspicious content, including emails and texts from unfamiliar senders.
• Regularly update and patch software and systems to address vulnerabilities that may have led to the breach.
• Review and strengthen access controls to restrict unauthorized access to sensitive data.
• Conduct regular security audits and vulnerability assessments to identify and address security weaknesses and potential threats.
• Here are the recommended mitigation practices mentioned in the joint advisory:
• Implement the “transport output none” command to block undesired external connections.
• Supervise both inbound and outbound traffic on devices, particularly unauthorized access, and establish VLANs to segregate administrative systems.
• Allow access only to specific IP addresses for network administrators and keep a record of login attempts.
• Transition to devices equipped with advanced secure boot capabilities and prioritize the update of outdated equipment.
• Take immediate action to change all passwords and keys if a breach is suspected.
• Carefully review logs for anomalies such as unexpected reboots or configuration changes.
• Employ the Network Device Integrity (NDI) Methodology to identify unauthorized alterations.
• Regularly compare boot records and firmware with trusted versions.