Hackers Caught Hiding in Cisco Router Firmware
A Chinese state-sponsored advanced persistent threat (APT) called BlackTech was caught modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to corporate headquarters.
The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently hop around the corporate networks of U.S. and Japanese companies.
The attackers used a variety of methods to exploit the Cisco routers, including:
· Exploiting vulnerabilities in the Cisco IOS firmware.
· Using social engineering techniques to trick victims into installing malicious firmware.
· Replacing legitimate firmware with malicious firmware.
Once the attackers had compromised a router, they would use it to launch further attacks on the network, such as stealing data or installing malware on other devices.
After gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies warned.
To extend their foothold across an organization, the BlackTech attackers target branch routers — typically smaller appliances used at remote branch offices to connect to a corporate headquarters — and abuse the trusted relationship of the branch routers within the corporate network being targeted.
The attackers then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.
The actor has traditionally used custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations.
Cisco has released security patches to address the vulnerabilities that were exploited by BlackTech. However, it is important to note that attackers are constantly developing new methods of exploitation, so it is important to keep your software up to date and to implement best practices for security.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.