Executive Summary
On September 27, 2023, the National Security Agency (NSA), FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Japan’s NISC jointly issued a security advisory about the activities of a Chinese state-sponsored APT called “BlackTech,” also known as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda.
BlackTech has been manipulating Cisco routers to breach multinational organizations in the US and Japan.
This threat actor has been replacing device firmware with its own malicious version to establish persistence and pivot from smaller, international subsidiaries to the headquarters of affected organizations.
Targeted organizations span various sectors, including government, industrial, technology, media, electronics, and telecommunications.
Key Recommendations from the joint advisory:
- Monitor network device connections.
- Review login attempt logs.
- Upgrade devices with secure boot capabilities.
- Monitor for unauthorized reboots or firmware changes.
Experts also stress the need for greater investment in securing these often overlooked edge devices.
About the Threat Actor
BlackTech is a long-standing Chinese APT group that has been active since at least 2010. They target a wide range of sectors, including government, industrial, technology, media, electronics, and telecommunications.
The group employs custom malware, dual-use tools, and living-off-the-land tactics to evade detection.
BlackTech’s specific focus on modifying firmware in network edge devices to establish persistence and move laterally within targeted networks distinguishes it from other threat actors.
How the Attack Works
To infiltrate and navigate corporate networks, BlackTech actors gain initial foothold access to the target network and administrator privileges on network edge devices.
They then proceed to modify the firmware of these devices, concealing their activities and ensuring persistence within the network. To bypass router security features, they install older legitimate firmware files, which are then modified in memory to evade detection.
BlackTech’s tactics involve targeting branch routers at remote offices, typically smaller appliances, and exploiting their trusted relationship within the corporate network being targeted. The compromised branch routers are used to proxy traffic, blend in with corporate network traffic, and pivot to other victims within the same corporate network.
BlackTech employs a variety of techniques, including custom malware families and living-off-the-land (LotL)-style tools for evading detection.
CISCO’s Response
Cisco has issued a security advisory on September 27, 2023. They have noted that the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials.
Cisco emphasizes that installing compromised software by downgrading to older firmware only affects legacy devices and is not allowed in modern Cisco routers that support secure boot.
Additionally, Cisco has denied any knowledge of code-signing certificates being stolen for attacks against their infrastructure devices.
Recommendations
The following recommendations are provided jointly by the National Security Agency (NSA), FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Japan’s NISC to mitigate the threat posed by BlackTech:
- Monitor network device connections: Regularly monitor both inbound and outbound connections from network devices to external and internal systems.
- Review login attempt logs: Keep a close eye on logs for successful and unsuccessful login attempts. Configure devices to log login events for better visibility.
- Upgrade devices with secure boot capabilities: Consider upgrading devices to models that support secure boot capabilities, which can enhance the security of firmware.
- Monitor for unauthorized reboots or firmware changes: Be vigilant about any unauthorized reboots, changes in operating system versions, configuration alterations, or attempts to update firmware. Review logs generated by network devices for such activities.
Experts also emphasize the necessity of significant investments in securing these often overlooked edge devices.
- AT&T Admits 73 Million Customers’ Data Breached
- [CVSS 8+] Kubernetes NGINX: Urgent Security Alert
- UK Parliament Passes the Online Safety Bill
- LastPass Users Who Stored Cryptocurrency Seed Phrases Urged to Take Action
- European Investment Bank Hit by Cyberattack
- Google Charges Ex Employee of Stealing AI Secrets