State-sponsored hackers are now nothing new about big-brand routers and other network equipment. A well-known Chinese cybercriminal group called "BlackTech" is actively targeting Cisco routers to exfiltrate sensitive data. The U.S. National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA), along with Japanese police and cybersecurity authorities, issued a joint advisory detailing BlackTech’s activities and providing recommendations to mitigate the consequences of the attacks.
BlackTech, also known as Palmerworm, Temp.Overboard, CircuitPanda and RadioPanda, has been active since 2010. The report states that these cybercriminals originate from China and have historically targeted organizations including government, industry, media, electronics, telecommunications and defense contractors in the United States and East Asia.
This cyber actor specializes in developing custom malware and "custom persistence mechanisms" to compromise popular router brands. The United States and Japan warn that these custom-made malicious programs include dangerous features such as disabling logging, abusing trusted domain relationships, and compromising sensitive data. The warning includes a list of specific malware strains, such as BendyBear, Bifrose, SpiderPig and WaterBear, used to attack Windows, Linux and even FreeBSD operating systems.
The advisory does not provide any clues as to what method BlackTech used to gain initial access to the victim's device, which could include common stolen credentials or even some unknown, "very sophisticated" zero-day security vulnerability. Once inside, cybercriminals abuse the Cisco IOS command line interface (CLI) to replace the official router firmware with a compromised firmware image.
The advisory warns that the process begins by modifying the firmware in memory through "hot patching" technology, which is the entry point required to install a modified bootloader and modified firmware. Once installed, the modified firmware can bypass the router's security features, enable backdoor access, leave no trace in logs, and circumvent access control list (ACL) restrictions.
In order to detect and thwart BlackTech's malicious activities, companies and organizations are advised to follow some "best mitigation practices." IT staff should disable outbound connections, monitor inbound and outbound connections, restrict access and monitor logs by applying the "transportoutputnone" configuration command to the virtual teletype (VTY) line.
Organizations should also upgrade network devices with the latest firmware versions, change all passwords and keys if there is concern that a single password has been compromised, perform regular file and memory verification, and monitor firmware for changes. The United States and Japan issued warnings about compromised Cisco routers, but the techniques described in the joint advisory could easily be adapted to other well-known brands of network equipment.
learn more:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a