Modem hacks highlighted
Authorities have issued a warning regarding the activities of the Chinese hacking group known as BlackTech.
The cyber espionage group, also known as Palmerworm, Temp.Overboard, Circuit Panda, or Radio Panda, has been infiltrating routers, particularly Cisco units, by exploiting weak admin credentials and deploying modified firmware.
Cisco, a major technology company, has responded to the allegations, claiming that there is no evidence suggesting the exploitation of security vulnerabilities in these attacks.
The warning was jointly released by several prominent agencies, including the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, as well as Japan's National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
According to the advisory issued by CISA, BlackTech has been active since 2010 and has a history of targeting a wide range of sectors, including government, industrial, technology, media, electronics, and telecommunications.
They have also aimed their efforts at entities supporting the military operations of both the United States and Japan.
The group's modus operandi typically involves gaining access to a network through an organisation's international subsidiaries and then leveraging that access to infiltrate the main office networks.
Beginning with the compromise of edge devices, BlackTech subsequently targets branch routers.
Once access to branch routers is obtained, the group employs various tactics, such as proxying network traffic, blending in with corporate network data, and launching attacks on other victims within the same corporate network.
While BlackTech has targeted various router brands and models, the advisory highlights Cisco products in its analysis.
The hackers use their admin access to replace Cisco's firmware with malicious firmware. This modified firmware includes an SSH backdoor that grants the attackers persistent, covert access to the device without leaving any traces, enabling them to eavesdrop on network traffic undetected.
In some instances, BlackTech exploits its access to the devices to install a modified bootloader, likely intended to bypass Cisco's bootloader security features.
Cisco has issued a response to the advisory, expressing dissatisfaction with the allegations. Cisco pointed out that weak admin credentials represent the most common access vector for these attacks and clarified; “There is no indication that any Cisco vulnerabilities were exploited”.
The company further explained that attackers relied on compromised credentials to make administrative-level configuration and software changes.
Cisco also noted that their modern products incorporate secure boot capabilities that prevent the loading and execution of modified software images.