US and Japanese law enforcement and cybersecurity agencies warn of the Chinese ‘BlackTech’ hackers breaching network devices to install custom backdoors for access to corporate networks.
The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.
BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-sponsored Chinese APT group (advanced persistent threat) known for conducting cyber espionage attacks on Japanese, Taiwanese, and Hong Kong-based entities since at least 2010.
The sectors BlackTech targets include government, industrial, technology, media, electronics, telecommunication, and the defense industry.
Custom malware on network devices
The FBI notice warns that the BlackTech hackers use custom, regularly updated malware to backdoor network devices, which are used for persistence, initial access to networks, and to steal data by redirecting traffic to attacker-controlled servers.
The advisory warns that the custom malware is sometimes signed using stolen code-signing certificates, making it harder for security software to detect.
By leveraging stolen admin credentials, the attackers compromise a broad range of router brands, models, and versions, establish persistence, and move laterally on the network.
As explained by the joint cybersecurity advisory:
“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.”
The modified firmware allows the threat actors to hide configuration changes and the history of executed commands. It also allows them to deactivate logging on a compromised device while they actively engage in malicious operations.
For Cisco routers in particular, researchers have observed the attackers enabling and disabling an SSH backdoor by using specially crafted TCP or UDP packets that are sent to the devices. This method allows the attackers to evade detection and only enable the backdoor when necessary.
The threat actors have also been observed patching the memory of Cisco devices to bypass the Cisco ROM Monitor’s signature validation functions. This allows the threat actors to load modified firmware that comes pre-installed with backdoors that enable unlogged access to the device.
In cases of breached Cisco routers, the hackers also modify EEM policies used for task automation, removing certain strings from legitimate commands to block their execution and hinder forensic analysis.
Creating custom malware is not new for the BlackTech APT group, with two 2021 reports by NTT and Unit 42 highlighting the threat actor’s use of this tactic.
An older Trend Micro report specifically mentioned the tactic of compromising vulnerable routers to use them as C2 servers.
Defense recommendations
The advisory advises system administrators to monitor for unauthorized downloads of bootloader and firmware images and unusual device reboots that could be part of loading modified firmware on routers.
SSH traffic observed on the router should also be treated with high suspicion.
The following mitigation practices are recommended:
- Use the “transport output none” command to prevent unwanted external connections.
- Oversee inbound/outbound traffic on devices, especially unauthorized access, and segregate administrative systems with VLANs.
- Only permit specific IP addresses for network administrators and track login attempts.
- Transition to devices with advanced secure boot and prioritize updating outdated equipment.
- Act promptly to change all passwords and keys when a breach is suspected.
- Scrutinize logs for anomalies like unexpected reboots or configuration changes.
- Utilize the Network Device Integrity (NDI) Methodology to detect unauthorized alterations.
- Compare boot records and firmware to trusted versions routinely.
Cisco has also published a security advisory on the topic, highlighting that there’s no indication that BlackTech leverages a vulnerability in its products or a stolen certificate to sign its malware.
Also, Cisco notes that the attack method that involves downgrading the firmware to bypass security measures only applies to older, legacy products.
The targeting of network devices has seen an uptick over the past year, with Chinese-aligned threat actors also targeting Fortinet, TP-Link, and SonicWall network devices with custom malware.
The US, UK, and Cisco warned in April of attacks on Cisco iOS devices by the Russian APT28 (Fancy Bear, STRONTIUM) state-sponsored hacking group, which deployed custom malware to steal data and pivot to internal devices.
As edge network devices do not commonly support EDR (Endpoint Detection and Response) security solutions, they are prime targets for threat actors to use for data theft and initial access to a network.
“There’s a recurring theme of continued China-nexus cyber espionage focus on network appliances, IOT devices, etc. that don’t support EDR solutions,” Mandiant CTO Charles Carmakal told BleepingComputer in May.
Therefore, network admins must install all available security patches on edge devices as soon as they become available and not publicly expose management consoles.
Source: www.bleepingcomputer.com