One of China’s state-backed hacking groups can modify Cisco routers without being detected and install custom firmware that allows for persistent access, according to a new joint cybersecurity advisory published by CISA and both US and Japanese law enforcement agencies. The Chinese hackers use an assortment of techniques to avoid detection, and quickly spread through corporate networks by targeting public-facing branch routers after gaining an initial foothold.
“BlackTech” Chinese hackers able to live off the land for months to years
One of China’s dozens of state-backed advanced persistent threat teams, “BlackTech” has been in business since at least 2010 and is known to have a specific focus on private companies in the US and in East Asian nations that possess technology of interest to the Chinese government or that are military contractors. The group targets trusted domain relationships to move back and forth between the domestic headquarters of companies and international subsidiaries, usually dwelling and quietly exfiltrating information for an extended period of time.
The Chinese hackers generally first approach with custom malware, of which they have a broad assortment that targets Windows, Linux and FreeBSD systems. All of the group’s tools use stolen code-signing certificates to evade automated scans and are regularly updated to stay ahead of antivirus/antimalware software.
The group is most interested in US and Japanese companies, usually first attacking international subsidiaries with the end goal of penetrating the corporate headquarters. Compromise of routers is key to this. The first step for the Chinese hackers is to take over a router at a small branch office, and leverage its trusted relationship within the internal network as a way to blend in with normal traffic and expand access.
The key to dwelling on these routers is custom firmware. The Chinese hackers have been observed deploying this on several different types of Cisco router, but in theory it could be modified for other types of routers and network equipment. A built-in SSH backdoor allows for remote connections that will not show up in logs.
The Cisco routers have built-in security meant to prevent this sort of breach, but the Chinese hackers circumvent this by first installing an outdated version of legitimate firmware that can be compromised. The custom firmware is then loaded in with a modified and unsigned bootloader that assists in evading detection.
Custom firmware approach most likely to work with legacy devices
The security advisory does not provide a specific list of vulnerable Cisco routers, but it does mention that the custom firmware loading approach is more likely to be successful with older legacy devices. According to Cisco, this is due to newer devices not allowing the older firmware to be loaded as the initial breach step.
Though it is not yet clear if there is a connection, in April a similar joint security advisory was published regarding Russian state-backed hackers targeting Cisco IOS routers. That attack did not involve similar custom firmware, but did involve a custom malware strain called “Jaguar Tooth” that would bypass password checks.
John Gallagher, Vice President of Viakoo Labs at Viakoo, notes that router security issues have been far from uncommon as of late: “Routers and other forms of IoT devices have often been used as a means of gaining access due to them being managed outside of IT and having inherently poor security (think of how many home routers still have default factory-set credentials). Not surprisingly routers have often appeared on CISA’s Known Exploited Vulnerability (KEV) catalog. Whether remote offices, home offices, warehouses, or factory floors, many organizations have powerful network-connected devices that are outside the direct management of IT. This leads to situations like described here, where IoT devices within a foreign operation was used to gain initial access … This points to a more widespread security issue with edge, IoT, and OT devices, which is the lack of secure firmware distribution. Many firmware packages are not digitally signed, and even worse often is downloaded through using a search engine that may provide links to compromised firmware. Before deploying new firmware onto IoT devices it should first go through testing in order to create a secure chain-of-trust in using that firmware.”
Cisco has responded to the story by saying that the attackers are most likely stealing administrator credentials rather than exploiting any known vulnerabilities. The company’s position is that older routers that do not have a more modern security feature that prevents this type of bootloading are the ones that are being hit, after the Chinese hackers phish or otherwise steal employee credentials through one means or another.
It would thus appear that an equipment upgrade would be sufficient to shut off the custom firmware avenue of attack. However, the report includes a variety of mitigation measures that potentially vulnerable organizations can make use of. Basic suggestions include limiting access to administration services and only permitting IP addresses used by network administrators, placing administrative systems in separate virtual local area networks (VLANs) and blocking all unauthorized traffic from network devices destined for non-administrative VLANs, and limiting network device connections only to exchanging routing or network topology information or interfacing with administrative systems. Administrators can also try disabling outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines, though the report warns this can be subverted by an attacker with high enough privileges.