April 19, 2024

Researchers have spotted the Chinese state-sponsored APT group Mustang Panda, which has been associated with a series of targeted attacks exploiting TP-Link routers.

The campaign has been active since January and is aimed at European foreign affairs entities by using malicious firmware images that are designed explicitly for TP-Link routers. 

The implants contain a custom backdoor dubbed Horse Shell, which enables attackers to maintain persistent access, develop anonymous infrastructure, and lateral movement in compromised networks. 

Advertisements

The unique aspect of the backdoor implant is that it can be integrated into various firmware by different vendors, thus, increasing the scope of attacks.

The Horse Shell backdoor is written in C++ and compiled for MIPS32-based operating systems. The system information collected by Horse Shell includes user name, system name, OS version, OS time, CPU architecture, IP address, MAC address, and number of active connections.

The backdoor provides various functionalities, including remote Shell, Tunneling, and File transfer.

While the deployment of malicious firmware images is still unclear, it is estimated that the attackers gained access to routers by either scanning known vulnerabilities or using default and guessable passwords.

Advertisements

The discovery of Mustang Panda’s malicious implant on TP-Link routers highlights the need for enhanced endpoint security.

  • It is advised to change the default login credentials of devices connected to the internet to stronger passwords
  • Use multi-factor authentication whenever possible.
  • Make sure to regularly update routers and other device firmware to prevent attackers from exploiting vulnerabilities.

This research was documented by researchers from Checkpoint

Indicators of Compromise

  • 998788472cb1502c03675a15a9f09b12f3877a5aeb687f891458a414b8e0d66c
  • 7985f992dcc6fcce76ee2892700c8538af075bd991625156bf2482dbfebd5a5a
  • ed3d667a4fa92d78a0a54f696f4e8ff254def8d6f3208e6fe426dbe7fb3f3dd0
  • 66cc81a7d865941cb32ed7b1b84b20270d7d667b523cab28b856cd4e85f135b6
  • 8a2e9f6c2b0c898090fdce021b3813313e73a256a5de39c100bf9868abc09dbb
  • da046a1fe6f3b94e48c24ffd341f8d97bfc06252ddf4d332e8e2478262ad1964
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

HashiCorp Critical Vulnerability – CVE-2024-3817

April 18, 2024

Cisco Integrated Management Controller Vulnerabilities

April 18, 2024

Windows Kernel Vulnerability – CVE-2024-21338 PoC Exploit Released

April 17, 2024

Cisco Duo Identify Data Breach

April 17, 2024

Tanium new Automate Feature

April 16, 2024

Patch released CVE-2024-3400 added to KEV Catalog

April 16, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading