Researchers have spotted a Chinese threat actor quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.
The threat actor dubbed as BlackTech has been foind replacing device firmware with its own malicious version, for establishing the persistence and pivot from smaller, international subsidiaries to headquarters of affected organizations.
As per the joint advisory, organizations spanned across government, industrial, technology, media, electronics, and telecommunication sectors, and include “entities that support the militaries of the U.S. and Japan.
The advisory does not detail any specific CVE affecting Cisco routers. Instead, it explains, “this TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.”
Cisco routers have been compromised by BlackTech and IP theft happen ever since the company first helped China build its national Internet censorship apparatus the so-called Great Firewall.
The group possesses a dozen numbers of different custom malware families for penetrating and staking a foothold inside of Windows, Linux, and FreeBSD operating systems. They are lent an air of legitimacy by code-signing certificates and are constantly updated in order to evade antivirus detection.
Once firmly planted in target networks, BlackTech uses living-off-the-land style tools for evading endpoint detection, including NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP).
The ultimate goal is to escalate within the target network until it obtains administrator privileges over vulnerable network routers. This is where it distinguishes itself from other threat actors.
To cement control over the routers and conceal its many malicious activities, the group performs a downgrade attack.
First, it installs an old version of the router’s firmware. To gain persistence in this case, an attacker needs an authentication bypass vulnerability to modify the firmware image to deliver malicious code on the device.
BlackTech then hot patches the old firmware in memory, modifying it without the need for a shutdown reboot and enabling the installation of a bootloader and its own, malicious firmware with a built-in SSH backdoor.