Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by janrinok on Sunday October 01 2023, @12:19AM   Printer-friendly

Backdoored firmware lets China state hackers control routers with "magic packets"

https://arstechnica.com/security/2023/09/china-state-hackers-are-camping-out-in-cisco-routers-us-and-japan-warn/

Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday.

The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.

The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries.

"Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."

[...] To install their modified bootloader, the US and Japanese advisory said, the threat actors install an older version of the legitimate firmware and then modify it as it runs in memory. The technique overrides signature checks in the Cisco ROM monitor signature validation functions, specifically functions of Cisco's IOS Image Load test and the Field Upgradeable ROMMON Integrity test. The modified firmware, which consists of a Cisco IOS loader that installs an embedded IOS image, allows the compromised routers to make connections over SSH without being recorded in event logs.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by EJ on Sunday October 01 2023, @10:31AM (4 children)

    by EJ (2452) on Sunday October 01 2023, @10:31AM (#1326561)

    I feel like the only way to be truly safe is to have a physical backup ROM that cannot be overwritten, which requires you to physically flip a switch or jumper to activate. This disables the ROM chip that may have been compromised, and lets you flash over it with a clean image. When the flash process is done via a menu that's controlled by a potentially compromised ROM, you can never be sure that it's truly flashing the update at all. With a backup ROM, which is fused at the factory, your only exposure is supply chain attacks.

    Another option would be a socketed ROM that you can physically remove to flash with a clean image via external ROM programmer.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by gnuman on Sunday October 01 2023, @10:36AM (1 child)

    by gnuman (5013) on Sunday October 01 2023, @10:36AM (#1326563)

    The only way to be safe is to stop having trusted networks and design your systems with 0-trust. VPNs shouldn't be used for security -- they should be used to reduce the attack surface. Security should be part of the application layer, always. Internal LAN or external LAN should make no difference when building your system. Only when this is true will your network be safe.

    • (Score: 2) by bloodnok on Sunday October 01 2023, @07:56PM

      by bloodnok (2578) on Sunday October 01 2023, @07:56PM (#1326632)

      Security should be part of the application layer, always.

      And given that the application layer often runs in the DMZ, which, by definition, cannot be trusted, you should have additional security layers in your database.

      Ideally, your database does not trust the application server at all, but will have authenticated each connected user and give them only the privileges that their user-id requires.

      And you should be auditing database access, looking for odd activity too.

      It's not easy to do well, but it can be done. The first step is to convince your CTO that they are less likely to sacrificed to the gods of blame if they take security seriously.

      __
      The Major

  • (Score: 3, Insightful) by SomeGuy on Sunday October 01 2023, @02:34PM (1 child)

    by SomeGuy (5632) on Sunday October 01 2023, @02:34PM (#1326589)

    > physical backup ROM that cannot be overwritten,

    Unfortunately, technology has not been that simple for a long time. The malicious parts may be buried deep inside circuitry that is not even accessible by a CPU.

    I've personally encountered an older IDE motherboard chipset that would flip bits when a certain uncommon pattern was encountered. In that case, probably a bug rather than malicious, but how would anyone know? Completely independent of the BIOS or even OS.

    • (Score: 2) by EJ on Monday October 02 2023, @05:42PM

      by EJ (2452) on Monday October 02 2023, @05:42PM (#1326774)

      True, but that is a different sort of problem. I'm focused only on "solving" the issue with firmware that can be flashed. The assumption must be that there is a known "good" firmware that can be obtained, and the problem to solve is just a method of confidently flashing it to the device(s).

      There is never a 100% guaranteed perfect system, but this just solves the basic issue of a malicious firmware preventing itself from being flashed over.