A Chinese state-sponsored Advanced Persistent Threat (APT) group, known as Camaro Dragon, has been identified as the source of targeted attacks using malware implants designed exclusively for TP-Link routers. The implant, referred to as ‘Horse Shell’, was discovered within a modified firmware image by researchers at Check Point Software Technologies. A custom backdoor feature enables attackers to maintain access to affected networks in order to create anonymous infrastructure and to move laterally within them if necessary. Horse Shell features three overall functions: the capacity to remotely execute shell commands, file transfer both to and from the infected router, and use of a SOCKS proxy tunnel. Significantly, the implant is agnostic with regard to firmware, meaning it may be employed to exploit other vendors’ products as well as the TP-Link routers used in the most recent attacks.
While there is as yet no concrete proof that Horse Shell has been utilised outside of compromised TP-Link firmware, previous APT-related incidents suggest that similar backdoors and malware implants have been successfully employed against diverse items of hardware from a range of different vendors. The infected TP-Link routers used in the targeted attacks apparently targeted European foreign affairs officials. Check Point researchers noted that although such a firmware attack is usually launched against residential and home-office networks, the attackers’ aim is often to create a chain of nodes linking between infected devices and the command and control infrastructure. However, the research does not specify precisely how the attackers initially gained entry to the devices before infecting them, although it suggests weaknesses in device authentication as the most obvious culprit.
Check Point has been tracking threat activity aimed at a range of European officials since the beginning of this year, with the activity relying on various tools, including new firmware implants linked to Chinese nation-state activity. The researchers identify multiple connections between Camaro Dragon and another Chinese state-sponsored APT group known as ‘Mustang Panda’, previously reported upon by companies including Avast in late 2020.
The current research represents yet another example of what Check Point describes as a “long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware”. Commentators note that firmware-related intrusion remains a serious threat, citing the recent attack upon Taiwanese hardware manufacturer, Micro-Star International. In this case, a ransomware attack resulted in the theft and leak of an OEM private key related to Intel’s security feature, Boot Guard, which is used to ensure that malicious firmware cannot operate in the Unified Extensible Firmware Interface.
Check Point has apparently had no response from TP-Link, although a statement from the vendor is anticipated in the near future. One Check Point researcher stated that the firm had implemented a variety of security measures to make attacks harder but that attackers had still found vulnerabilities to exploit. Given the long-standing success of Chinese APTs in compromising Internet-facing network devices, many commentators suggest that all vendors need to remain vigilant and review regularly their current security measures.