The BlackTech hacking group, believed to have ties to Chinese authorities, is carrying out widespread attacks on Cisco routers used in government agencies, media, the military industry and other key sectors in the United States. U.S. and Japanese security and law enforcement agencies are sounding the alarm as hackers are injecting vulnerabilities into Cisco devices without system administrators noticing.
The National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA), the US police and the Japanese National Incident Preparedness and Cybersecurity Strategy Center (NISC) prepared report about the activities of this hacker group, emphasizing the seriousness and extent of the threat. The report includes a list of malware such as BendyBear, Bifrose, SpiderPig and WaterBear that are used to attack Windows, Linux and even FreeBSD operating systems.
BlackTech, also known as Palmerworm, Temp.Overboard, Circuit Panda and Radio Panda, has been involved in criminal activity since 2010. This Chinese APT (Advanced Persistent Threat) group English Persistent Serious Threat) creates and uses specialized malware to penetrate networks through devices from Cisco and other major brands such as Fortinet, SonicWall and TP-Link.
BlackTech hackers prefer to attack corporate offices in smaller cities, where security systems may be less reliable. After gaining access to the local branch network, they are connected to the network of parent organizations. The group’s target group is the state sector, companies with state participation and companies from the industrial, information technology, telecommunications and electronics sectors.
The details of the methods BlackTech uses to gain initial access to its victims’ devices remain unknown. This can range from stealing employee credentials to unknown and highly sophisticated zero-day vulnerabilities. After infiltration, cybercriminals use the Cisco IOS Command Line Interface (CLI) to replace legitimate router firmware with a compromised version.
It all starts with changing the firmware in memory using the “hot patching” method. This step is crucial for installing a modified bootloader and firmware. Once installation is complete, the modified firmware can bypass the router’s security mechanisms, enable backdoors without leaving a trace in system logs, and ignore restrictions set by access control lists (ACLs).
Cybercriminals use various methods to hide their presence on victims’ networks, including disabling logging on compromised devices and using stolen code signing certificates to sign ROM files. Hackers use special UDP and TCP packets to enable and disable SSH backdoors on Cisco routers at random times, hiding their activities from system administrators.
Cisco is compounding the problem by refusing to support its aging hardware or fix known vulnerabilities in its routers. The company regularly refuses to fix dangerous vulnerabilities such as CVE-2022-20923 and CVE-2023-20025 in its outdated routers whose support period has long since expired. In spring 2023, Cisco declined to release a patch for home and small business routers that were found to have a dangerous vulnerability. This creates additional risks for users and opens up opportunities for cybercriminals.
To identify and block malicious BlackTech activities, companies and organizations are urged to adhere to optimal risk mitigation strategies. IT professionals should block outbound connections using the Transport Output None configuration command to Virtual Teletype (VTY) lines, monitor all connections, restrict access, and maintain detailed event logs in system logs.