A hot potato: State-sponsored hackers compromising big-brand routers and other network equipment is nothing new, at this point. If a joint cyber-security advisory from the US and Japan is raising awareness against Chinese cyber-criminals, however, things could get pretty interesting.
A well-known group of Chinese cyber-criminals known as "BlackTech" is actively targeting Cisco routers for sensitive data exfiltration. US intelligence agency NSA, FBI, and Cybersecurity and Infrastructure Security Agency (CISA), have released a joint advisory together with Japan's police and cyber-security authorities detailing BlackTech's activities and providing recommendations for mitigating the attacks.
Also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, the BlackTech crew has been active since 2010. The cyber-criminals are directly sponsored by China's communist dictatorship, the advisory says, and they have historically targeted organizations from government, industry, media, electronics, telecommunication, and defense contractors in the US and East Asia.
The cyber-actor specializes in developing custom malware and "tailored persistence mechanisms" to compromise popular router brands. These custom malicious programs include dangerous features to disable logging, abuse trusted domain relationships and compromise sensitive data, the US and Japan warn. The advisory includes a list of specific malware strains such as BendyBear, Bifrose, SpiderPig, and WaterBear, which are used to target Windows, Linux and even FreeBSD operating systems.
The advisory does not provide any clue about the methods used by BlackTech to gain initial access to the victim's devices, which could include common stolen credentials or even some unknown, "wildly sophisticated" 0-day security vulnerability. When they are in, the cyber-criminals abuse Cisco IOS Command-Line Interface (CLI) to replace the official router firmware with a compromised firmware image.
The process begins when the firmware is modified in memory through a "hot patching" technique, the advisory warns, which is the entry point needed to install a modified bootloader and a modified firmware. Once the installation is done, the modified firmware can bypass the router's security features and enable a backdoor access that leaves no traces in the logs and avoids access control list (ACL) restrictions.
In order to detect and thwart BlackTech malicious activities, it's recommended companies and organizations follow some "best mitigation practices." IT staff should disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines, monitor both inbound and outbound connections, limit access and monitor logs.
Organizations should also upgrade the network devices with the latest firmware versions, change all passwords and keys when there is a concern that a single password has been compromised, periodically perform both file and memory verification, and monitor for changes to the firmware. The US and Japan are warning against compromised Cisco routers, but the techniques described in the joint advisory could be easily adapted to target other well-known brands of network devices.