US and Japan cyber intelligence expose Chinese hackers exploiting corporate routers

US and Japan's law enforcement and cybersecurity agencies have released an advisory warning against an ongoing hacking campaign by Chinese hackers targeting corporate network devices. The report which was a joint report by the FBI, NSA, CISA, Japan's NISC and the National Police Service identifies BlackTech, a Chinise state-sponsored APT group, as the culprits.

The cybergang, also recognized under aliases such as Palmerworm, Circuit Panda, and Radio Panda, has been actively engaged in cyber espionage activities since at least 2010, primarily targeting Japanese, Taiwanese, and Hong Kong-based entities. The group's modus operandi revolves around infiltrating network devices to establish backdoors into corporate networks, thereby compromising their integrity and security.

Key highlights from the report

Sophisticated Custom Malware: BlackTech employs custom malware with regular updates to infiltrate network devices discreetly. This malware serves multiple purposes, including enabling persistence, gaining initial access to networks, and facilitating data theft by rerouting traffic to servers controlled by the attackers. Some malware instances are signed using stolen code-signing certificates, making them challenging to detect by security software.

Modified Firmware: Once inside the target router, the hackers install modified firmware. This firmware alteration allows them to conceal configuration changes and the history of executed commands. It also grants them the capability to deactivate logging on compromised devices while they conduct malicious activities.

Cisco Router Exploitation: Researchers have observed the hackers employing a unique technique with Cisco routers. They enable and disable an SSH backdoor by sending specially crafted TCP or UDP packets to the devices. This method allows them to evade detection and activate the backdoor only when necessary. Moreover, they patch the memory of Cisco devices to bypass the Cisco ROM Monitor's signature validation functions, effectively loading modified firmware pre-installed with backdoors for unlogged access.

Cisco has responded to the report stating that there is no evidence suggesting BlackTech exploits vulnerabilities in their products or uses stolen certificates to sign malware. Additionally, Cisco notes that the method involving firmware downgrades to bypass security measures applies only to older, legacy products.

In response to the campaign, system administrators are urged to remain vigilant by monitoring unauthorized downloads of bootloader and firmware images and identifying unusual device reboots. These may be indicators that the router has been loaded with modified firmware. SSH traffic on routers should also be subject to thorough scrutiny.