US, Japan warn of Chinese router attacks


U.S. and Japanese authorities have urged multinational companies to consider implementing zero trust models to mitigate a sophisticated Chinese state-backed cyberespionage operation.

The advisory was issued yesterday by the NSA, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC).

He warned that Chinese group BlackTech was targeting companies in the government, industrial, technology, media, electronics and telecommunications sectors, “including entities that support the militaries of the United States and Japan.”

Threat actors typically target subsidiaries of U.S. and Japanese multinational companies, exploiting routers to gain access to their networks and then switching to headquarters networks.

“Specifically, after gaining a foothold in a target network and gaining administrative access to the network’s edge devices, BlackTech cyber actors often modify the firmware to hide their activity on the edge devices to further maintain persistence in the network,” explains the opinion.

“BlackTech actors then use the compromised public branch routers as part of their infrastructure to proxy traffic, blend in with corporate network traffic, and pivot to other victims on the same corporate network.

Read more about router threats: US and UK warn of VPNFilter successor ‘Cyclops Blink’

The actors target and exploit various brands and models of routers, including Cisco, using a custom firmware backdoor activated and deactivated via specially crafted TCP or UDP packets. This malware is used for initial access to networks, to maintain persistence, and to exfiltrate data, according to the advisory.

In some cases, threat actors have also been observed replacing the firmware of certain Cisco IOS routers with malicious firmware in order to establish persistent backdoor access and hide future malicious activity.

BlackTech sometimes also attempts to obfuscate and obfuscate changes to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies, the advisory reveals.

Stolen code signing certificates are used to sign payloads and evade defenses, making the group’s malware harder to detect.

THE advisory “highlights the need for multinational companies to review all branch connections, verify access, and consider implementing Zero Trust models to limit the extent of a possible BlackTech compromise. »

Leave a comment