Slash Boxes

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by janrinok on Sunday October 01 2023, @12:19AM   Printer-friendly

Backdoored firmware lets China state hackers control routers with "magic packets"

Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday.

The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.

The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries.

"Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."

[...] To install their modified bootloader, the US and Japanese advisory said, the threat actors install an older version of the legitimate firmware and then modify it as it runs in memory. The technique overrides signature checks in the Cisco ROM monitor signature validation functions, specifically functions of Cisco's IOS Image Load test and the Field Upgradeable ROMMON Integrity test. The modified firmware, which consists of a Cisco IOS loader that installs an embedded IOS image, allows the compromised routers to make connections over SSH without being recorded in event logs.

Original Submission

Related Stories

Chinese Malware Removed From SOHO Routers After FBI Issues Covert Commands 15 comments

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.

[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.

[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.

[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.

[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.

Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231

"state actors" search on SoylentNews for even more:

Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Anonymous Coward on Sunday October 01 2023, @01:04AM

    by Anonymous Coward on Sunday October 01 2023, @01:04AM (#1326525)

    Sigh... I used to work at a company that built a product that stood in front your router watching everything, and could even drop undesirable packets. It was a bold strategy, we were a small company, and alas not enough customers (and too many other things going on with management that caused problems). I'm sure it's not the first or last company to do such things. We were modified FreeBSD on commodity hardware. Sure, that could be compromised somehow too. Anything can be compromised. Our Intel NICs could have been lying to us, for all we know; but at least let's make them have to *work* for this. There should be more than one watcher between the cloud and your crown jewels. For most applications the latency penalty isn't really that severe, and there are ways of addressing that problem where it matters. Certainly an unauthorized SSH should stick out like a sore thumb on a 3rd party monitor that isn't compromised.

    Reading about stuff like this almost makes me want to get back in to the biz.

  • (Score: 5, Insightful) by RedGreen on Sunday October 01 2023, @05:36AM (1 child)

    by RedGreen (888) on Sunday October 01 2023, @05:36AM (#1326550)

    "The threat actor is somehow gaining administrator credentials"

    they manufacturer just about all the equipment used it is damn easy to flash what ever the hell they want to it. Makes it so easy to hack later, yet again we see the result of the parasite corporations shipping all the jobs to take advantage of the slave labour and no environmental standards for some cocksucker billionaire to get a few more dollars in their pile. I have idea for you dumb fucks in America solves two of your problems in one. Tell the scummy corporations time to vacate China your days with it are over and tell them see all them people from Central and South America coming our way for better life, build wall of factories across them countries and give them people jobs who need it. Not some murdering Chinese bastards at least them people are coming to live the American dream, not to fuck you over and destroy your country and way of life by any means possible.

    "I modded down, down, down, and the flames went higher." -- Sven Olsen
    • (Score: 5, Insightful) by gnuman on Sunday October 01 2023, @10:32AM

      by gnuman (5013) on Sunday October 01 2023, @10:32AM (#1326562)

      Mr. Happy, in every county you'll find more than enough people that will do shady things for money.

      Also, why do they need "hackers to modify firmware in RAM" instead of just shipping it broken from factory? Seems that it's not the factories or employees that are compromised here, but you have groups outside that want to gain some control of these devices down the road instead. How is it any different from the shady Israeli NSO Group that sells these things to all sort of dictators and others with deep pockets? I would label the NSO Group worse than these 0-day black hats working for the Chinese NSA-equivalent.

      Personally, I'd rather have some Chinese hackers on my machine than NSA hackers because the latter can touch me in more personal ways via related agencies than the Chinese equivalent. YMMV if you are in China ;)

  • (Score: 2) by EJ on Sunday October 01 2023, @10:31AM (4 children)

    by EJ (2452) on Sunday October 01 2023, @10:31AM (#1326561)

    I feel like the only way to be truly safe is to have a physical backup ROM that cannot be overwritten, which requires you to physically flip a switch or jumper to activate. This disables the ROM chip that may have been compromised, and lets you flash over it with a clean image. When the flash process is done via a menu that's controlled by a potentially compromised ROM, you can never be sure that it's truly flashing the update at all. With a backup ROM, which is fused at the factory, your only exposure is supply chain attacks.

    Another option would be a socketed ROM that you can physically remove to flash with a clean image via external ROM programmer.

    • (Score: 2) by gnuman on Sunday October 01 2023, @10:36AM (1 child)

      by gnuman (5013) on Sunday October 01 2023, @10:36AM (#1326563)

      The only way to be safe is to stop having trusted networks and design your systems with 0-trust. VPNs shouldn't be used for security -- they should be used to reduce the attack surface. Security should be part of the application layer, always. Internal LAN or external LAN should make no difference when building your system. Only when this is true will your network be safe.

      • (Score: 2) by bloodnok on Sunday October 01 2023, @07:56PM

        by bloodnok (2578) on Sunday October 01 2023, @07:56PM (#1326632)

        Security should be part of the application layer, always.

        And given that the application layer often runs in the DMZ, which, by definition, cannot be trusted, you should have additional security layers in your database.

        Ideally, your database does not trust the application server at all, but will have authenticated each connected user and give them only the privileges that their user-id requires.

        And you should be auditing database access, looking for odd activity too.

        It's not easy to do well, but it can be done. The first step is to convince your CTO that they are less likely to sacrificed to the gods of blame if they take security seriously.

        The Major

    • (Score: 3, Insightful) by SomeGuy on Sunday October 01 2023, @02:34PM (1 child)

      by SomeGuy (5632) on Sunday October 01 2023, @02:34PM (#1326589)

      > physical backup ROM that cannot be overwritten,

      Unfortunately, technology has not been that simple for a long time. The malicious parts may be buried deep inside circuitry that is not even accessible by a CPU.

      I've personally encountered an older IDE motherboard chipset that would flip bits when a certain uncommon pattern was encountered. In that case, probably a bug rather than malicious, but how would anyone know? Completely independent of the BIOS or even OS.

      • (Score: 2) by EJ on Monday October 02 2023, @05:42PM

        by EJ (2452) on Monday October 02 2023, @05:42PM (#1326774)

        True, but that is a different sort of problem. I'm focused only on "solving" the issue with firmware that can be flashed. The assumption must be that there is a known "good" firmware that can be obtained, and the problem to solve is just a method of confidently flashing it to the device(s).

        There is never a 100% guaranteed perfect system, but this just solves the basic issue of a malicious firmware preventing itself from being flashed over.

  • (Score: 2) by ls671 on Sunday October 01 2023, @09:49PM

    by ls671 (891) Subscriber Badge on Sunday October 01 2023, @09:49PM (#1326642) Homepage

    It's a mystery to me why Xi Jinping allows those hacker group to have "panda" in their names. A panda basically looks like him and Winnie the pooh, which I hear he banned in China...

    Everything I write is lies, including this sentence.