A Chinese state-sponsored APT called BlackTech has been found breaking into network routers to remain undetected and stealthily move across a variety of organizations. In a joint advisory issued by the NSA, the FBI, the CISA, and Japan’s NISC, the agencies disclosed that the group has been launching such attacks since 2010 and, lately, has been modifying Cisco router firmware to conceal its activity while targeting companies based in the U.S. and Japan.
Infection method
- BlackTech actors often focus on branch routers (typically smaller appliances used at remote branch offices) and take advantage of the trusted connections between a victim and other entities to expand their access to the targeted networks.
- In particular, once they gain initial access and administrator privileges on network edge devices, they often modify the firmware to conceal their activities and maintain persistence on the network.
- According to the advisory, the attackers compromised several Cisco routers using variations of a customized firmware backdoor that could be enabled and disabled through specially crafted TCP or UDP packets.
- In some cases, the group has been caught replacing the firmware for certain Cisco IOS-based routers with malicious versions to establish persistent backdoor access and obfuscate malicious activity.
About BlackTech
- The group uses custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations.
- Over the years, the group has continuously updated its evasion tools and now uses stolen code-signing certificates to make its malicious software look legitimate.
- The advisory states that BlackTech has become skilled at seamlessly integrating its actions with regular network operations, enabling it to avoid detection by endpoint detection solutions and other security measures.
Global reach of Chinese threat actors
- The advisory comes after recent updates from cybersecurity firms about the activities of China-based hackers.
- Insikt Group tracked a multi-year Chinese state-sponsored cyberespionage campaign by the TAG-74 group targeting South Korean academic, political, and government organizations.
- Volexity identified a five-year-long campaign by the EvilBamboo group targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represented three of the so-called “Five Poisons” of the Chinese Communist Party.
- Separately, Proofpoint highlighted a worrying increase in activity from specific malware families targeting Chinese-language speakers. A new ValleyRAT malware was found being distributed alongside Sainbox RAT and Purple Fox malware onto the victim’s systems.
Conclusion
Upon reviewing the findings of the latest BlackTech APT campaign, Cisco confirmed that there is no indication that any vulnerabilities in its networking devices were exploited. While legacy devices are vulnerable to these attacks, modern Cisco devices including secure boot capabilities are safe as they do not allow the loading and execution of modified software images.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/36b6_shutterstock_198736364.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e7e4_shutterstock_1668644710.jpeg)
