China APT Cracks Cisco Firmware in Attacks Against the US and Japan

An old Chinese state-linked threat actor has been quietly manipulating Cisco routers to breach multinational organizations in the US and Japan.

"BlackTech" (aka Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) has been replacing device firmware with its own malicious version, in order to establish persistence and pivot from smaller, international subsidiaries to headquarters of affected organizations. Those organizations have thus far spanned government, industrial, technology, media, electronics, and telecommunication sectors, and include "entities that support the militaries of the U.S. and Japan," according to a new joint cybersecurity advisory from the National Security Agency (NSA), FBI, and Cybersecurity and Infrastructure Security Agency (CISA), as well as Japanese national police and cybersecurity authorities.

The advisory does not detail any specific CVE affecting Cisco routers. Instead, it explains, "this TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment."

Cisco has not yet responded to Dark Reading's request for comment.

According to Tom Pace, former Department of Energy head of cyber and now CEO of NetRise, it speaks to a more endemic problem in edge security. "If we get our hands on a firmware image from Cisco, Juniper, Huawei, Arista — it doesn't matter who it is," he says. "The same problems persist across all device manufacturers and all verticals."

How BlackTech Breaches Networks

Cisco routers have been subject to compromise and IP theft ever since the company first helped China build its national Internet censorship apparatus — the so-called "Great Firewall" — at the turn of the century. BlackTech, around since 2010, has taken the tradition a step further.

The group possesses 12 different custom malware families for penetrating and staking a foothold inside of Windows, Linux, and FreeBSD operating systems. They are lent an air of legitimacy by code-signing certificates and are constantly updated in order to evade antivirus detection.

Once firmly planted in target networks, BlackTech uses living-off-the-land (LotL)-style tools for evading endpoint detection, including NetCat shells, the Secure Shell Protocol (SSH), and the Remote Desktop Protocol (RDP).

BlackTech's ultimate goal is to escalate within the target network until it obtains administrator privileges over vulnerable network routers. This is where it distinguishes itself from other threat actors.

How BlackTech Toys With Routers

Specifically, BlackTech aims for routers at smaller, remote branches of larger organizations where security may be a bit more lax, using their connection to an organization's primary IT network to blend in with wider network traffic, and potentially pivot to other victims within the organization.

To cement control over the routers and conceal its many malicious activities, the group performs a downgrade attack.

First, it installs an old version of the router's firmware. "Cisco allows anyone with certain privileges on the device to downgrade the OS image and firmware," Alex Matrosov, CEO and head of research at Binarly, explained in a statement provided to Dark Reading.

"To gain persistence in this case, an attacker needs an authentication bypass vulnerability to modify the firmware image to deliver malicious code on the device," he added. The joint advisory did not allude to any specific vulnerability, though Matrosov pointed to CVE-2023-20082, a "Medium" 6.8 CVSS-scored bug in Cisco Catalyst switches as a comparable example.

BlackTech then "hot patches" the old firmware in memory, modifying it without the need for a shutdown reboot and enabling the installation of a bootloader and its own, malicious firmware with a built-in SSH backdoor.

Pace offers an analogy, for those not yet sufficiently impressed. "Imagine if you're on a computer, and a threat actor replaces your entire Windows operating system, and no one knows the difference. Well, that'd be wild, wouldn't it?"

What to Do

The advisory offers certain steps companies can take to mitigate against BlackTech's TTPs, such as monitoring inbound and outbound connections with network devices, reviewing logs and any changes to firmware, and diligent password hygiene. But to Pace, these are just Band-Aids for a deeper issue in edge security.

"If you look at laptops, desktops, servers: We have a litany of visibility solutions — technologies that can answer questions about what's going on on those devices in a very clear way. But we don't view these edge devices in the same way, because there aren't users on them. And so we don't provide the same level of monitoring across these devices," he explains.

Unless device manufacturers significantly upgrade their security, or customers significantly invest in this area traditionally overlooked, he thinks, this kind of story will repeat itself.

"This is a decade-long problem. Bare minimum. If not, probably 15, 20 years," he predicts.