A state-sponsored threat group from China is compromising “several” types of Cisco router and then installing malicious firmware to establish persistent backdoor access, US and Japanese authorities warned – providing guidance this week for threat hunters and network defenders.
The sophisticated campaign, attributed to a group the NSA referred to as BlackTech, has seen the attackers target “government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan.”
Whilst illustrating in detail the group’s living-off-the-land and persistence techniques – more on those below – the multi-agency advisory is, unless we misread it, somewhat vague on the initial threat vector to access the routers (other routers are also being targeted, it adds, but only names Cisco…)
It also declines to name the precise flavour of routers being hit, whilst urging cybersecurity teams to “upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible,” the advisory adds.
The attackers were using a range of custom malware families targeting Windows, Linux, and FreeBSD operating systems and deploying stolen code-signing certificates to sign malicious payloads. After establishing persistence, they were pivoting "from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks..."
Cisco router security advisory: Pick your CVE?
Earlier CISA advisories on a campaign by a Russian APT that also targeted Cisco router vulnerabilities showed that attackers were sniffing for poorly configured Simple Network Management protocol (SNMP) – which is designed to let network administrators monitor and configure network devices remotely; CVE-2017-6742 in particular was used. (Other Cisco router security bugs are available for attackers...)
The September 27 advisory comes after CISA/NSA warned in June 2022 that Chinese APTs were exploiting vulnerabilities to compromise unpatched network devices, warning that Small Office/Home Office routers and Network Attached Storage devices were serving as “additional access points to route command and control traffic and act as midpoints to conduct network intrusions on other entities.”
This week’s more detailed advisory said that once BlackTech had gained elevated privileges on the routers it was often replacing the firmware via command-line execution, adding backdoor functionality that is enabled and disabled through specially crafted TCP or UDP packets.
“[Newly installed] malicious firmware is used to establish persistent backdoor access and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor, allowing BlackTech actors to maintain access to the compromised router without [its] connections being logged. The attackers bypass the router's built-in security features by “first installing older legitimate firmware that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware” the NSA and CISA said this week.
“BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results.
“On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands, and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the… EEM policy.”
Cisco router security guidance
The agencies are advising defenders to:
- "Disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems. Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.
- "Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.
- "Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the "login on-failure log" and "login on-success log" configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.
- "Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.
- "When there is a concern that a single password has been compromised, change all passwords and keys.
- "Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.
- "Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.
- "Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images."