Image: Zachary Keimig (unsplash)
US and Japanese agencies, specializing in law enforcement and digital protection, raise concerns over the activities of the Chinese ‘BlackTech’ hackers. These hackers have reportedly breached network devices, inserting tailored backdoors to gain entry into major corporate networks.
The collaborative findings are a culmination of investigations by the FBI, NSA, CISA, the Japanese NISC (focused on digital protection) and NPA (law enforcement branch). The findings suggest that this government-backed hacking collective infiltrates network devices at overseas branches. They strategically use these points of entry to penetrate the main corporate network systems.
The BlackTech group, also known by names such as Palmerworm, Circuit Panda, and Radio Panda, traces its origin to Chinese governmental support. They have been involved in cyber espionage activities targeting organizations in Japan, Taiwan, and Hong Kong since around 2010. BlackTech’s interests span across sectors like government, industrial, technology, media, electronics, telecommunication, and other industries.
Custom Malware in Network Devices: The FBI has shared information indicating that BlackTech hackers deploy uniquely crafted malware, which they routinely update, to manipulate network devices. This malware plays a significant role in ensuring the longevity of their presence in the networks, facilitating their initial entry, and enabling unauthorized redirection of data to servers they control.
Challenges arise as this custom malware is occasionally authenticated using stolen code-signing certificates. Such authentication makes detection by security systems even more arduous. By illicitly obtaining admin credentials, these hackers have the ability to meddle with an extensive range of router brands and models. This access permits them to sustain their presence and navigate across the network seamlessly.
The collective advisory sheds light on their methodology:
Upon initially entering a target network and securing administrator access to edge devices, BlackTech cyber experts frequently alter the device firmware. This alteration is strategic, helping them camouflage their ongoing activities and maintain a consistent presence. They exploit branch routers, devices primarily used at distant branch offices for connectivity to the main office. This strategy exploits the inherent trust these branch routers enjoy within the overarching corporate network. This compromised position of the branch routers is further utilized to proxy traffic, harmonize with the corporate network’s regular traffic, and navigate to other systems within the same corporate network.
Their firmware modifications enable them to obscure changes and any command history. This also empowers them to turn off logging on compromised devices, providing them a cover as they undertake malicious activities.
When it comes to Cisco routers, experts have identified tactics where attackers activate and deactivate an SSH backdoor. They achieve this through specifically designed TCP or UDP packets dispatched to the devices. Such tactics allow evasion, with the backdoor being activated only when deemed necessary.
On several occasions, they’ve manipulated the memory of Cisco devices to override the Cisco ROM Monitor’s validation functionalities. Such override allows them to load altered firmware, which is equipped with backdoors, granting them discreet access.
In instances where Cisco routers are compromised, there are alterations to EEM policies used for automated tasks. This results in the elimination of certain strings from legitimate commands, which obstructs their execution and complicates forensic analysis.
The art of designing custom malware isn’t novel for BlackTech. In 2021, reports by entities like NTT and Unit 42 accentuated the group’s inclination for such tactics. There have been past references to their strategy of exploiting vulnerable routers, positioning them as command and control servers.
Defensive Measures: The advisory emphasizes the need for system administrators to be vigilant, particularly monitoring for unauthorized bootloader and firmware image downloads and unusual device restarts which might indicate tampered firmware.
Among the suggested protective measures are:
- Employ the “transport output none” command to restrict undesirable external connections.
- Monitor device traffic rigorously, paying heed to unauthorized access, and separate administrative systems using VLANs.
- Limit network admin access to specific IP addresses and maintain logs of login activities.
- Prioritize transitioning to devices equipped with enhanced secure boot features and ensure timely updates of outdated equipment.
- Swiftly modify passwords and keys upon suspecting a security breach.
- Regularly review logs for unusual activities, such as unexpected reboots or configuration alterations.
- Adopt the Network Device Integrity (NDI) methodology to identify unauthorized modifications.
- Regularly compare boot records and firmware against trusted versions for discrepancies.
Additionally, Cisco has released an advisory on this matter, emphasizing that there’s no evidence suggesting BlackTech exploits any product vulnerabilities or uses stolen certificates for their malware.
Cisco has further clarified that the technique involving firmware downgrading to bypass security features is limited to their older product range.
The previous year saw a rise in network device targeting, with hackers associated with Chinese interests also targeting brands like Fortinet, TP-Link, and SonicWall with custom malware.
With edge network devices often lacking support for EDR (Endpoint Detection and Response) security mechanisms, they become lucrative targets for these cyber threat actors.
As Mandiant CTO, Charles Carmakal, communicated in May, “A consistent pattern has emerged showing a China-related cyber espionage focus on network appliances and IOT devices that aren’t equipped with EDR solutions.”
Thus, network administrators are advised to promptly apply all security patches on edge devices as they are released and avoid public exposure of management consoles.