A cyber attack group `` Camaro Dragon '' supported by the Chinese government has a backdoor in the router and is infringing the network
Security company Check Point's research team, Check Point Research (CPR), has revealed the existence of an implant for routers that allows attackers to avoid detection while gaining complete control over infected devices and accessing compromised networks. I was. The implant is believed to be the APT (Advanced Persistent Threat) group 'Camaro Dragon' supported by the Chinese government.
Check Point Research reveals a malicious firmware implant for TP-Link routers, linked to Chinese APT group - Check Point Blog
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research
Malware turns home routers into proxies for Chinese state-sponsored hackers | Ars Technica
CPR investigated a targeted cyberattack against European diplomatic institutions and attributed it to the APT group Camaro Dragon.
CPR's investigation found a malicious firmware implant made for TP-Link routers containing various malicious components, including a custom backdoor called 'Horse Shell'.
'Horse Shell' gives attackers complete control over malware-infected devices and allows them to access compromised networks without detection.
``Horse Shell'' consists of ``remote shell'' that executes arbitrary commands on infected routers, ``file transfer'' that uploads and downloads files between infected routers, and ``SOCKS5'' that relays communication between different clients. It provides attackers with three functions of “tunneling”.
It is not clear how the router was implanted, and CPR is either using known vulnerabilities or targeting terminals with default settings or easily guessed passwords to prevent access. I'm guessing that it may have been successful.
CPR notes that this type of attack is notable for targeting home networks rather than sensitive networks. In addition, aiming at the home network is not to target a specific home, but to use it as a relay point, and the home router is just a means for attackers to achieve their goals.
According to CPR, the implant's components are firmware-agnostic, and a wide range of devices and vendors other than TP-Link may be at risk. In addition, TP-Link did not comment on the news site Ars Technica's coverage.
Related Posts:
in Security, Posted by logc_nt