China APT Cracks Cisco Firmware in Attacks Against the US and Japan>
Dark Reading – Nate Nelson
Chinese state-linked threat actor BlackTech has been quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.
The group replaces device firmware with malicious versions to establish persistence and pivot from smaller subsidiaries to the headquarters of targeted organizations.
The affected sectors include government, industrial, technology, media, electronics, and telecommunications, including entities supporting the US and Japanese militaries.
The joint advisory from the NSA, FBI, CISA, and Japanese authorities warns that this technique is not limited to Cisco routers and could be used to enable backdoors in other network equipment.
BlackTech possesses custom malware families and uses living-off-the-land tools to evade detection.
Their goal is to escalate privileges and gain control over vulnerable network routers.
The group performs a downgrade attack by installing old firmware, hot-patching it in memory, and installing a malicious firmware with a built-in SSH backdoor.
The advisory recommends monitoring network connections, reviewing firmware changes, and maintaining strong password hygiene.
However, experts suggest that device manufacturers need to enhance their security and customers should invest in overlooked edge device monitoring to address the underlying issue.
Link: https://www.darkreading.com/threat-intelligence/china-apt-cracks-cisco-firmware-attacks-against-us-japan