US, Japanese agencies issue cybersecurity advisory on BlackTech Chinese hackers hiding in router firmware
On Wednesday, U.S. and Japanese security agencies jointly released a cybersecurity advisory (CSA) outlining the actions of cyber hackers associated with the People’s Republic of China (PRC) known as ‘BlackTech.’ The hacker group has exhibited the ability to covertly alter router firmware and exploit domain-trust relationships in routers, enabling them to pivot from international subsidiaries to target headquarters in Japan and the U.S.
The authoring agencies furthermore recommend implementing the mitigation described to detect this activity and protect devices from the backdoors the BlackTech hackers are leaving behind.
“BlackTech (a.k.a. Palmerworm, Temp[dot]Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan,” the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), identified in the advisory. “BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations.”
The advisory also details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
“Cyber actors look for the easiest way into their targeted network, like a thief checking vehicles for unlocked doors,” Rob Joyce, NSA cybersecurity director, said in a media statement. “Raising awareness of this malicious activities helps with not only hardening our defenses, but also those of our international allies, critical infrastructure, and private sector organizations. We need to keep these actors out of our networks.”
“With our U.S. and international partners, CISA continues to call urgent attention to China’s sophisticated and aggressive global cyber operations to gain persistent access and, in the case of BlackTech actors, steal intellectual property and sensitive data,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity. “Today’s joint advisory with our partners in Japan highlights our extensive and persistent collaboration to provide actionable and timely guidance to businesses, government and critical infrastructure.”
Goldstein added that BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia. “We encourage all organizations to review the advisory, take action to mitigate risk, report any evidence of anomalous activity, and continue to visit cisa.gov/china for ongoing updates about the heightened risk posed by PRC cyber actors.”
Active since 2010, BlackTech hackers have historically targeted various U.S. and East Asian public organizations and private industries, the advisory disclosed. “BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters’ networks,” it added.
The hackers have been identified as using custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows, Linux, and FreeBSD operating systems. Custom malware families employed by BlackTech include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear.
The advisory said that BlackTech hackers continuously update these tools to evade detection by security software. They also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect.
“BlackTech actors use living-off-the-land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products,” according to the advisory. “Common methods of persistence on a host include NetCat shells, modifying the victim registry to enable the remote desktop protocol(RDP), and secure shell (SSH). The actors have also used SNScan for enumeration, and a local file transfer protocol (FTP) server to move data through the victim network.”
The advisory identified that after gaining access to the subsidiaries’ internal networks, BlackTech hackers are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. “BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.”
To extend their foothold across an organization, the advisory said that the BlackTech hackers target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. These hackers then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.
The advisory also pointed out that BlackTech hackers have targeted and exploited various brands and versions of router devices. “TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.”
Additionally, in some instances, BlackTech hackers have replaced the firmware for certain Cisco IOS-based routers with malicious firmware. “Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity.”
Additionally, the modified firmware uses a built-in SSH backdoor, allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged, the advisory detailed. “BlackTech actors bypass the router’s built-in security features by first installing older legitimate firmware that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware. The modified bootloader enables the modified firmware to continue evading detection, however, it is not always necessary,” it added.
Furthermore, the advisory said that BlackTech hackers may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies, a feature usually used in Cisco IOS to automate tasks that execute upon specific events, which manipulate Cisco IOS Command-Line Interface (CLI) command results.
“On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands,” the advisory said. “This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands, and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy.”
To help detect and mitigate BlackTech malicious activities, the agencies call for appropriate detection and mitigation strategies. “It would be trivial for the BlackTech actors to modify values in their backdoor that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH,” the advisory added.
Organizations have been called upon to disable outbound connections; monitor both inbound and outbound connections from network devices to both external and internal systems; limit access to administration services and only permit IP addresses used by network administrators; upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware; and if there is a concern that a single password has been compromised, change all passwords and keys.
They have also been urged to review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Additionally, organizations can periodically perform both file and memory verification described in the Network Device Integrity (NDI) methodology documents, and monitor for changes to the firmware.
Earlier this week, the CISA published its Hardware Bill of Materials (HBOM) framework for Supply Chain Risk Management. This document introduces an HBOM framework that creates a consistent, replicable avenue for vendors to engage with purchasers about hardware components in their current or prospective product acquisitions. The framework equips purchasers with the means to thoroughly evaluate and mitigate risks within their supply chains.
Related
