US and Japan Warn of Chinese Hackers Backdooring Cisco Routers

Cyber Security Threat Summary:
US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters” (Bleeping Computer, 2023).

BlackTech emerged in 2010 and is a state-sponsored Chinese APT group known for carrying out cyber espionage campaigns against Japan, Taiwan, and Hong Kong-based entities. The group typically targets government entities, and organizations in industrial, technology, media, electronics, telecommunication, and the defense industry.

According to the FBI, the group uses custom, regularly updated malware, to backdoor network devices. The malware is used to maintain persistence, gain initial access, and steal data by redirecting traffic to attacker controlled servers.

Security Officer Comments:
The joint advisory highlights the fact that the custom malware is sometimes signed using stolen code-signing certificates, which makes it harder for security software to detect. Using stolen admin credentials, the attackers can compromise a broad range of router brands, models, and versions, establish persistence, and move laterally through the network.

"Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network" (CISA, 2023).

After modifying the firmware, threat actors can hide configuration changes and any logs showing executed commands. “For Cisco routers in particular, researchers have observed the attackers enabling and disabling an SSH backdoor by using specially crafted TCP or UDP packets that are sent to the devices. This method allows the attackers to evade detection and only enable the backdoor when necessary” (Bleeping Computer, 2023).

The threat actors were also seen patching the memory of Cisco devices to bypass the Cisco ROM Monitor’s signature validation functions. This allows the adversary to load modified firmware onto the device. In cases of breached Cisco routers, the hackers also modify EEM policies used for task automation, removing certain strings from legitimate commands to block their execution and hinder forensic analysis.

T1588.003 - Obtain Capabilities: Code Signing Certificates
BlackTech actors use stolen code-signing certificates to sign payloads and evade defenses.

TA0001 - Initial Access
BlackTech actors gain access to victim networks by exploiting routers.

T1199 - Trusted Relationship
BlackTech actors exploit trusted domain relationships of routers to gain access to victim networks.

T1205 - Traffic Signaling
BlackTech actors send specially crafted packets to enable or disable backdoor functionality on a compromised router.

T1542.004 - Pre-OS Boot: ROMMONkit
BlackTech actors modify router firmware to maintain persistence.

T1112 - Modify Registry
BlackTech actors modify the victim’s registry.

T1562 - Impair Defenses
BlackTech actors disable logging on compromised routers to avoid detection and evade defenses.

T1562.003 - Impair Defenses: Impair Command History Logging
BlackTech actors disable logging on the compromised routers to prevent logging of any commands issued.

T1601.001 - Modify System Image: Patch System Image
BlackTech actors modify router firmware to evade detection.

T1021.001 - Remote Services: Remote Desktop Protocol
BlackTech actors use RDP to move laterally across a victim’s network.

T1021.004 - Remote Services: SSH
BlackTech actors use SSH to move laterally across a victim’s network.

T1071.002 - Application Layer Protocol: File Transfer Protocols BlackTech actors use FTP to move data through a victim’s network or to deliver scripts for compromising routers.

T1090 - Proxy
BlackTech actors use compromised routers to proxy traffic.

Suggested Correction(s):
The following are the best mitigation practices to defend against this type of malicious activity:

  • Disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems. Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.
  • Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.
  • Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the "login on-failure log" and "login on-success log" configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.
  • Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.
  • When there is a concern that a single password has been compromised, change all passwords and keys.
  • Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.
  • Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.
  • Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.
Link(s): CISA PDF: