The US and Japanese authorities have urged multi-nationals to consider implementing zero trust models to mitigate a sophisticated Chinese state-backed cyber-espionage operation.
The advisory was issued by the NSA, FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA) and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) on September 27.
It warned that the Chinese BlackTech group has been targeting government, industrial, technology, media, electronics and telecommunication sector firms, “including entities that support the militaries of the US and Japan.”
The threat actors typically target subsidiaries of multi-national US and Japanese firms, exploiting routers in order to access their networks, and then pivoting to the networks of headquarter offices.
“Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network,” the advisory explained.
“BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network.”
The actors target and exploit various router brands and models, including Cisco, using a customized firmware backdoor enabled and disabled through specially crafted TCP or UDP packets. This malware is used for initial access into networks, maintaining persistence and exfiltrating data, the advisory claimed.
In some cases, the threat actors were also observed replacing the firmware of certain Cisco IOS routers with malicious firmware in order to establish persistent backdoor access and obfuscate future malicious activity.
BlackTech sometimes also tries to hide and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies, the advisory revealed.
Stolen code-signing certificates are used to sign payloads and evade defenses, making the group’s malware harder to detect.
The advisory “highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.”
Read more on router threats: US and UK Warn of VPNFilter Successor “Cyclops Blink”