The US NSA (National Security Agency) & FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices & using firmware implants to silently move around the corporate networks of US & Japanese companies.
As stated in a high-powered joint advisory from the US’s NSA, FBI & CISA & Japan’s NISC, BlackTech has been observed modifying router firmware on Cisco routers to maintain stealth & move from international subsidiaries to HQs in Japan & the US.
“Specifically, upon gaining an initial foothold into a target network & gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the agencies warned.
To extend their grip across an organisation, the BlackTech attackers target branch routers — usually smaller appliances used at remote branch offices to connect to a corporate HQ & abuse the trusted relationship of the branch routers within the corporate network being targeted.
The attackers then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, & pivoting to other victims on the same corporate network.
BlackTech, active since at least 2010, is a prolific Chinese APT that targets Govt., industrial, technology, media, electronics, & telecommunication sectors, including entities that support the militaries of the US & Japan.
The player has traditionally used custom malware, dual-use tools, & ‘living off the land’ methods, such as disabling logging on routers, to hide their operations.
Explains the advisory, BlackTech hackers have compromised several Cisco routers using variations of a customised firmware backdoor that is enabled & disabled through specially crafted TCP or UDP packets.
In some cases, the group has been caught replacing the firmware for certain Cisco IOS-based routers with malicious firmware.
“Although BlackTech actors already had elevated privileges on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access & obfuscate future malicious activity,” the agencies observed.
In the seen attacks, the modified firmware used a built-in SSH backdoor that allowed BlackTech players to maintain access to the compromised router without any connections being logged.
The attackers also bypassed the router’s built-in security features in a complex scheme involving the installation of older legitimate firmware files, that are then modified in memory to bypass firmware signature checks & evade detection.
Inbound & Outbound
In the joint advisory, the agencies are recommending that defenders monitor both inbound & outbound connections from network devices to both external & internal systems, & check logs for successful & unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands.
Businesses are also being pushed to upgrade devices to ones that have secure boot capabilities & review logs generated by network devices & monitor for unauthorised reboots, operating system version changes, changes to the configuration, or attempts to update the firmware.
Response from Cisco
Cisco has released a bulletin noting that the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials.
“There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration & software changes.”
The company commented that installing compromised software by 1st downgrading to older firmware only affects legacy devices & is not allowed in modern Cisco routers that support secure boot.
“The stolen code-signing certificates mentioned in the report are not from Cisco. Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices,” the company argued.
Hardware security experts state they aren’t surprised to see advanced attackers ‘lurking in the shadows’ of firmware to enable persistence & pivot for stealthy attacks.
“The tactics used by the threat actor aren’t new,” commented Alex Matrosov, CEO & Head of Research at Binarly, a LA company building technology to secure the firmware ecosystem.
“Unfortunately, this is not a surprise, we have observed an increase in firmware attacks with BlackLotus, CosmicStrand, & MoonBounce as recent examples, but the impact of this BlackTech campaign is a clear progression of the documented attacks related to compromised firmware,” Matrosov added.
Matrosov criticised device vendors like Cisco that minimise the severity of patched bugs & suggest high attack barriers like needing remote code execution) or stolen credentials.
“This leads to lower CVSS scores, diverting patching urgency * attention. Consequently, many systems remain at risk due to this downplaying of vulnerability severity,” he further added.
A statement from Eclypsium outlined that the BlackTech discovery is another example that the supply chain of network infrastructure is in a state of crisis.
No Longer Effective
“It’s clear that old ways of securing networks & endpoints are no longer effective.
Network infrastructure has become the ‘lowest hanging fruit’ for most threat actors.
Both ransomware groups like LockBit 3.0 and nation-state actors use network appliances as an initial access vector or to establish persistence,” the company concluded.