A recent joint cybersecurity advisory from the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA) in the US, along with the Japanese national police and cybersecurity authorities, sheds light on a new campaign by a Chinese state-linked threat actor known as “BlackTech.” This threat actor has been quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.
BlackTech, also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been replacing the firmware of Cisco routers with its own malicious version. This allows the threat actor to establish persistence within the affected organizations and pivot from smaller, international subsidiaries to the headquarters of these organizations. The targeted organizations span various sectors, including government, industrial, technology, media, electronics, and telecommunications. Notably, some of these organizations provide support to the militaries of the US and Japan.
The joint advisory highlights that this tactic is not solely limited to Cisco routers and that similar techniques could be used to enable backdoors in other network equipment. However, the specific CVE (Common Vulnerabilities and Exposures) affecting Cisco routers are not detailed in the advisory. Dark Reading reached out to Cisco for comment on the matter, but the company has not yet responded.
The breadth of BlackTech’s operations points to a larger problem in edge security. Tom Pace, former Department of Energy head of cyber and CEO of NetRise, comments on the issue, stating that the same problems persist across all device manufacturers and verticals. He explains that the issues go beyond specific brands like Cisco, Juniper, Huawei, or Arista and raises concerns about the overall security of edge devices.
BlackTech’s ability to breach networks is not new. Cisco routers have been subject to compromise and intellectual property theft since the company collaborated with China to build the “Great Firewall” in the early 2000s. The threat actor has been active since 2010 and possesses 12 different custom malware families that target operating systems like Windows, Linux, and FreeBSD. To evade detection, these malware families constantly evolve and utilize code-signing certificates.
Once inside target networks, BlackTech employs living-off-the-land (LotL)-style tools for evading endpoint detection, such as NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP). However, what sets BlackTech apart from other threat actors is its focus on vulnerable network routers. The group’s end goal is to obtain administrator privileges over these routers.
To achieve their objectives, BlackTech specifically targets smaller, remote branches of larger organizations where security may be less stringent. By using connections to an organization’s primary IT network, BlackTech can blend in with wider network traffic and potentially pivot to other victims within the organization. The group performs a downgrade attack to cement control over the routers and conceal its activities.
First, BlackTech installs an old version of the router’s firmware, taking advantage of Cisco’s functionality that allows privileged users to downgrade the operating system image and firmware. Then, the group hot patches the firmware in memory, modifying it without the need for a shutdown reboot. This enables the installation of a bootloader and BlackTech’s own malicious firmware, complete with a built-in SSH backdoor.
Alex Matrosov, CEO and head of research at Binarly, points out that an attacker would need an authentication bypass vulnerability to modify the firmware image and deliver malicious code on the device. While the joint advisory does not mention a specific vulnerability, Matrosov cites CVE-2023-20082, a comparable vulnerability in Cisco Catalyst switches.
The advisory provides recommendations for organizations to mitigate BlackTech’s tactics, including monitoring inbound and outbound connections with network devices, reviewing firmware changes and logs, and maintaining vigilant password hygiene. However, Tom Pace suggests that these measures are merely temporary solutions for a deeper issue in edge security.
Pace argues that the lack of visibility solutions for edge devices is a long-standing problem that needs to be addressed by both device manufacturers and customers. He believes that unless there are significant upgrades in security for these devices or increased investments in this overlooked area, similar stories of breaches will continue to occur in the future.
In conclusion, the activities of the Chinese state-linked threat actor BlackTech, which manipulates Cisco routers to breach multinational organizations, have come to light through a joint cybersecurity advisory. This campaign highlights the larger issue of edge security and the need for improved security measures for network devices. If not addressed, this problem is predicted to persist for years to come.