Routers have been rooted by Chinese spies, US and Japan warn
BlackTech crew looking to steal sensitive data traffic
Chinese government spies may be hiding in your Cisco routers and using that access to steal intellectual property and other sensitive data, according to officials in the US and Japan.
In a joint advisory issued on Wednesday, the US Cybersecurity and Infrastructure Security Agency, the NSA and FBI, as well as Japan's National Police Agency (NPA), and its National Center of Incident Readiness and Strategy for Cybersecurity warned that BlackTech, a PCR-backed cyber-espionage gang, can modify router firmware without being detected and hop across networks for further shenanigans.
"BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the US — the primary targets," the advisory warns.
The report singles out Cisco gear, but does note that the snoops could use similar techniques to set up backdoors in other networking equipment.
"Cisco is aware of the September 27 joint cybersecurity advisory (CSA) detailing activities by BlackTech cyber actors to target router firmware from multiple vendors," a Cisco spokesperson told The Register.
"There is no indication that any Cisco vulnerabilities were exploited as outlined in Cisco’s informational security advisory. Today’s alert underscores the urgent need for companies to update, patch, and securely configure their network devices – critical steps towards maintaining security hygiene and achieving overall network resilience."
This particular gang, also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been around since 2010 and targets government, industrial, technology, media, electronics, telecommunication, and defense players in the US and East Asia.
BlackTech use several custom malware codes against Windows, Linux, and FreeBSD operating systems, and all of the software nasties are listed in the US-Japan advisory. And once the attackers have replaced the routers' firmware, it's open season on data collection.
The crew compromise victims' routers by either downloading old, legitimate firmware, modified firmware with a built-in SSH backdoor, or modified bootloader, we're told. Here's how the process works, according to the governments:
"BlackTech actors use the Cisco router's CLI to replace the router's IOS image firmware. The process begins with the firmware being modified in memory — also called hot patching — to allow the installation of a modified bootloader and modified firmware capable of bypassing the router's security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL)."
The report does not say how the Chinese state-spies initially gain access to the victims' devices, which could be as common as stolen credentials or some "wildly sophisticated" security flaw that can't be fixed, said Tom Pace, CEO of firmware security firm NetRise.
"It could be something as benign as just gaining access to credentials off those devices and logging in," Pace, the former US Department of Energy head of cybersecurity, told The Register. "But they might have dropped a no-day here, and Cisco or whomever is impacted is scrambling to release a patch for it."
Additionally, the Feds don't give any explanation for the timing of the joint security alert. This is noteworthy because, as Pace said, compromising networking gear "is the oldest type of compromise."
- Ransomware fiends pounce on Cisco VPN brute-force zero-day flaw
- Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks
- Cisco spends $28B on data cruncher Splunk in cybersecurity push
- Report: CIA eyes building AI chatbot to rival China
"We've had access to information for a long time about these kinds of things, Pace said. "This is not new."
There's all sorts of reasons why the intelligence agencies chose to highlight this specific threat at this particular time, he added. It could be that the agencies have visibility into real-world, large-scale compromises of Cisco routers. Or the governments may simply want to raise awareness.
Whatever the reason, "I love it," Pace said. "I think it's really positive for them to talk about these things happening. And I think that they probably recognize that they can't possibly address this problem on their own."
While he doesn't think the agencies are all that interested in "naming and shaming, per se, they certainly did," he added. "They certainly did that today by calling out the biggest telecommunications manufacturer on Planet Earth." ®