A Chinese state-sponsored APT called BlackTech has been caught hacking into network edge devices and using firmware implants to stay hidden and silently hop around the corporate networks of U.S. and Japanese multinational companies.
According to a high-powered joint advisory from the NSA, FBI, CISA and Japan’s NISC, BlackTech has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to headquarters in Japan and the United States.
“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies warned.
To extend their foothold across an organization, the BlackTech attackers target branch routers — typically smaller appliances used at remote branch offices to connect to a corporate headquarters — and abuse the trusted relationship of the branch routers within the corporate network being targeted.
The attackers then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.
BlackTech, active since at least 2010, is a prolific Chinese APT that targets government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan.
The actor has traditionally used custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations.
According to the advisory, BlackTech hackers have compromised several Cisco routers using variations of a customized firmware backdoor that is enabled and disabled through specially crafted TCP or UDP packets.
In some cases, the group has been caught replacing the firmware for certain Cisco IOS-based routers with malicious firmware.
“Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity,” the agencies said.
In the observed attacks, the modified firmware used a built-in SSH backdoor that allowed BlackTech actors to maintain access to the compromised router without any connections being logged.
The attackers also bypassed the router’s built-in security features in a complex scheme involving the installation of older legitimate firmware files that are then modified in memory to bypass firmware signature checks and evade detection.
In the joint advisory, the agencies are recommending that defenders monitor both inbound and outbound connections from network devices to both external and internal systems, and check logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands.
Businesses are also being nudged to upgrade devices to ones that have secure boot capabilities and review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware.
Related: U.S. Gov Warning: Firmware Security a ‘Single Point of Failure’
Related: Prolific Chinese APT Using ‘MoonBounce’ Firmware Implant
Related: Microsoft: Firmware Attacks Outpacing Security Investments
Related: CISA Calls Urgent Attention to UEFI Attack Surfaces