Japanese and American authorities warn that ``Chinese government hackers have installed backdoors in networks such as Cisco routers''
The United States' Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Japan's National Cyber Security Center (NISC) and National Police Agency are jointly involved in this project, supported by the Chinese government. We have announced an alert regarding cyber attacks by the hacker group 'BlackTech'.
People's Republic of China-Linked Cyber Actors Hide in Router Firmware | CISA
Cyber attack by BlackTech, a cyber attack group based in China (alert)
(PDF file) https://www.nisc.go.jp/pdf/press/20230927NISC_press.pdf
US and Japan warn of Chinese hackers backdooring Cisco routers
https://www.bleepingcomputer.com/news/security/us-and-japan-warn-of-chinese-hackers-backdooring-cisco-routers/
Backdoored firmware lets China state hackers control routers with “magic packets” | Ars Technica
https://arstechnica.com/security/2023/09/china-state-hackers-are-camping-out-in-cisco-routers-us-and-japan-warn/
BlackTech is a Chinese APT (Advanced Persistent Threat) group with other names such as 'Palmerworm', 'Temp. It is known for conducting cyber espionage attacks against The target areas are wide-ranging, including organizations supporting the military of Japan and the United States, government, industry, technology, media, electronics, telecommunications, and the defense industry.
According to NISC, BlackTech first infiltrates networks by taking advantage of software vulnerabilities in devices connected to the Internet, inadequate network settings, and out-of-support devices, and uses this as a foothold to move companies overseas. It will establish a connection with a trusted internal router used for communication between the subsidiary and the headquarters. After successfully infiltrating the system, BlackTech sneaks into the traffic and attacks other victims on the network, stealing information and causing other damage.
When attacking routers, techniques are used such as rewriting the firmware to hide the history of configuration changes and command execution, and to erase the logs of compromised devices.
Specifically, Cisco routers have been observed sending specially crafted
When loading modified firmware with a backdoor, it was also confirmed that a patch was applied to the memory of Cisco products to bypass the signature verification function of the ROM monitor .
To prevent breaches by Chinese hacker groups, CISA called for the following mitigation measures to be taken:
- Use the 'transport output none' command on VTY lines to prevent unnecessary external connections.
- Monitor incoming and outgoing traffic on devices, especially unauthorized access, and separate management systems using virtual LANs (VLANs).
- Allow only specific IP addresses used by network administrators and track login attempts.
- Migrate to devices with advanced secure boot and prioritize updating older devices.
- If you suspect an intrusion, immediately change all passwords and keys.
- Examine logs for abnormalities such as unexpected restarts or configuration changes.
・Use a technique called Network Device Integrity (NDI) to detect unauthorized access, software changes, and hardware changes.
・Periodically take snapshots of boot records and firmware and compare them with reliable good images.
In a report released in response to the alert, Cisco said, ``BlackTech compromised devices after obtaining administrator credentials, and there is no evidence that BlackTech used vulnerabilities in Cisco products to sign malware.'' '', the company also pointed out that malicious firmware could only be installed on older Cisco products, and emphasized that the company's newer products have a secure boot feature that prevents unauthorized firmware from running.
Related Posts:
in Security, Posted by log1l_ks