The U.S. government is warning about the China-affiliated Blacktech hacker gang replacing firmware in edge devices with its own backdoor version. Cisco routers in particular are vulnerable.
The U.S. NSA, FBI, regulator CISA and Japanese police are warning about the activities of the Blacktech hacker gang. This group allegedly affiliated with the Chinese government mainly carries out attacks on targets in the United States and Japan.
In their attacks, the hackers target edge devices, such as routers. In doing so, they seek admin access and replace the existing firmware on the routers with a proprietary version. This modified firmware version ensures that the attacks are hidden from detection and provide persistent access.
Blacktech attack techniques
More specifically, on the devices they access, the Blacktech hackers first install an old legitimate firmware version that is modified in memory.
This enables the installation of a custom unvalidated bootloader that in turn installs the custom unvalidated rogue firmware. The custom bootloader is supposed to prevent detection.
The hackers also use so-called Embedded Event Manager (EEM) policies to prevent detection. This manipulates the results of CLI commands.
Cisco routers often targeted
Most routers hacked by the Chinese attackers often appear to be Cisco routers. Routers and edge devices from other manufacturers may also be targeted, according to security officials.
Cisco indicated in a statement that its routers are indeed being targeted by the Blacktech gang. As the reason for this preference, the tech giant explains that its routers are susceptible to weak and stolen passwords.
Cisco has yet to indicate that the vulnerabilities have been exploited to steal data. Only admin-level modifications would have been made to the affected devices.
In addition, the attacks targeted only legacy Cisco routers, as modern devices have secure boot functionality that precludes loading and running custom software images. Also, no Cisco certificates would have been misused.
The security organisations and Cisco indicate that Blacktech’s malware can be fought by applying various best practices.
These include regularly monitoring firmware changes, performing file and memory verification, as well as checking logs for unauthorized restarts or version changes, monitoring inbound and outbound connections to routers and disabling outbound connections.