Chinese state hackers detected in Cisco router firmware

[CarderPlanet]

Who is behind the new wave of cyber attacks?

US and Japanese cybersecurity authorities and law enforcement agencies are warning about the actions of the Chinese hacker group BlackTech. This group disrupts network devices by installing specialized backdoors to access corporate networks.

A joint report prepared by the FBI, NSA, CISA, and Japanese authorities NISC and NPA reveals that a state-backed group attacks the network devices of international branches of large companies to further access the networks of corporate head offices.

BlackTech, also known as Palmerworm, Circuit Panda, and Radio Panda, has been actively engaged in cyber espionage against Japanese, Taiwanese, and Hong Kong organizations since 2010. The group's main objectives include government agencies, industrial enterprises, technology companies, media, electronic and telecommunications companies, and the defense industry.

The modified firmware allows attackers to hide configuration changes and the history of executed commands. In addition, they can disable the logging system on a compromised device during malicious actions.

Specifically, for Cisco routers, researchers observed how attackers enabled and disabled the SSH backdoor using specially crafted TCP or UDP packets directed to the devices. This method allows attackers to remain undetected and enable the backdoor only when necessary.

It was also noticed that attackers made corrections to the memory of Cisco devices to bypass the signature verification functions of Cisco ROM Monitor. This allows attackers to download modified firmware that has previously installed backdoors that allow unregistered access to the device.

If Cisco routers are compromised, hackers also change the EEM policies used to automate tasks, removing certain lines from legitimate commands to block their execution and make it more difficult for forensic analysis.

According to the warning, BlackTech hackers use specialized and regularly updated malware to create backdoors in network devices. These backdoors are used for permanent access, initial network entry, and data interception.

Special attention should be paid to the fact that malware is sometimes signed with stolen certificates, which makes it difficult for security systems to detect it.

The report also contains security recommendations: monitoring unauthorized downloads of bootloader images and firmware, as well as unusual device reboots. It is also recommended to pay attention to SSH traffic on the router and apply a number of other security measures.

It is important to note that attacks on network devices have become more frequent over the past year. According to research, Chinese hackers are also targeting Fortinet, TP-Link, and SonicWall devices.

 

[CarderPlanet]

Law enforcement agencies in the United States and Japan have warned that the Chinese APT group BlackTech is hacking into peripheral devices and embedding custom backdoors in their firmware to access the corporate networks of American and Japanese international companies.

BlackTech (also known as Palmerworm, Circuit Panda, and Radio Panda) is a government-backed APT group that has been known for its cyber-espionage attacks on Japanese, Taiwanese, and Hong Kong organizations since 2010. BlackTech attacks usually target the industrial and technology sectors, the media, electronics and telecommunications companies, as well as the defense industry and government agencies.

A joint notice issued by the FBI, NSA, CISA, and Japanese law enforcement agencies states that BlackTech uses custom and regularly updated malware to create backdoors in network devices, which are then used to secure in the target network, gain initial access to organizations networks, and steal data (by redirecting traffic to servers controlled by attackers).

It is emphasized that custom malware of the group is sometimes signed using legitimate stolen certificates, which further complicates its detection.

"After gaining initial access to the target network and administrator access to peripheral devices, BlackTech cybercriminals often modify their firmware to hide their activity and gain a foothold in the network.

To expand their presence in the organization's network, BlackTech attackers attack routers of other branches (usually devices used in remote branches to connect to the company's head office) and abuse trust between devices in the target corporate network. The attackers then use the compromised branch routers as part of their infrastructure to proxy traffic, mix with the traffic of the corporate network, and switch to other victims in the same corporate network," the experts report.

Firmware modification allows hackers to mask changes in the device configuration and the history of executed commands. In addition, attackers can generally disable logging in to compromised devices while they are busy with their operations.

For example, on Cisco routers, hackers enable and disable the SSH backdoor using special TCP or UDP packets sent to the device. This allows them to avoid detection and activate the backdoor only if necessary.

In addition, BlackTech can be embedded in the memory of Cisco devices to bypass the signature verification functions in Cisco ROM Monitor. This allows them to download modified firmware with pre-installed backdoors that allow access to the device without a username.

It was also noticed that during hacking of Cisco routers, attackers modify the EEM policies used to automate tasks and delete certain command lines in order to block their execution and make it difficult for subsequent analysis of the attack. For the same purposes, attackers can disable logging altogether.

It should be noted that creating your own custom malware is not something new for BlackTech. Back in 2021, researchers from Palo Alto Networks Unit 42 and NTT Security warned about this hack group tactic. In addition, an even older Trend Micro report mentioned the tactic of compromising vulnerable routers to use them as control servers.

After the publication of this warning to law enforcement officers, representatives of Cisco issued an official statement in which they stressed that attackers compromise routers after receiving administrative credentials (where hackers take them from, it is not specified), and there are no signs that they are exploiting certain vulnerabilities.

Also, Cisco also stated that the possibility of introducing malicious firmware is only available in older products of the company, and new versions have broader protective capabilities and prevent the use of such firmware.