Backdoored Firmware Lets China State Hackers Control Routers With 'Magic Packets' (arstechnica.com) 52
An anonymous reader quotes a report from Ars Technica: Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday. The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.
The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries. "Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers -- typically smaller appliances used at remote branch offices to connect to a corporate headquarters -- and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."
Most of Wednesday's advisory referred to routers sold by Cisco. In an advisory of its own, Cisco said the threat actors are compromising the devices after acquiring administrative credentials and that there's no indication they are exploiting vulnerabilities. Cisco also said that the hacker's ability to install malicious firmware exists only for older company products. Newer ones are equipped with secure boot capabilities that prevent them from running unauthorized firmware, the company said. "It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete," the advisory stated. "For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH."
To detect and mitigate this threat, the advisory recommends administrators disable outbound connections on virtual teletype (VTY) lines, monitor inbound and outbound connections, block unauthorized outbound connections, restrict administration service access, upgrade to secure boot-capable devices, change compromised passwords, review network device logs, and monitor firmware changes for unauthorized alterations.
Ars Technica notes: "The advisory didn't provide any indicators of compromise that admins can use to determine if they have been targeted or infected."
The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries. "Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers -- typically smaller appliances used at remote branch offices to connect to a corporate headquarters -- and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."
Most of Wednesday's advisory referred to routers sold by Cisco. In an advisory of its own, Cisco said the threat actors are compromising the devices after acquiring administrative credentials and that there's no indication they are exploiting vulnerabilities. Cisco also said that the hacker's ability to install malicious firmware exists only for older company products. Newer ones are equipped with secure boot capabilities that prevent them from running unauthorized firmware, the company said. "It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete," the advisory stated. "For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH."
To detect and mitigate this threat, the advisory recommends administrators disable outbound connections on virtual teletype (VTY) lines, monitor inbound and outbound connections, block unauthorized outbound connections, restrict administration service access, upgrade to secure boot-capable devices, change compromised passwords, review network device logs, and monitor firmware changes for unauthorized alterations.
Ars Technica notes: "The advisory didn't provide any indicators of compromise that admins can use to determine if they have been targeted or infected."
All our base are belong to them. (Score:4, Insightful)
It is easy for government-backed actors to install backdoors in any foreign-made hardware, and cover it all up with government-issued gag orders. The only reasonable assumption is that anything foreign made is phoning home.
Of course, made-in-America tech would be no better. It would just be the American government doing the spying. They have the means, motive, and opportunity, so it would be irrational for them not to.
Private businesses do the same thing too. Our CPUs have backdoors baked right in to the hardware, for legitimate purposes of course. some info [sysjolt.com]. And the reason is the same. They have the means motive and opportunity, so that's that.
Of course, most people don't care. Most people freely upload all kinds of sensitive information to their favorite social networks. Why would they care about China or AMD spying on their cat photos?
Since the majority don't care, there is no pushback. Since there is no pushback, those of us who DO care are left powerless.
No matter who wins, we lose.
Re: (Score:2)
Note that state actors are not too interested in cat photos but they are interested in what corporations are doing and gathering IP and other information from them.
For example TSMC might be attracted to the US due to some tax break etc so China could offer them better (or visa versa.)
With more and more data encrypted they just need to look for the weakest point to attack, I am no secruity expert but I think that the router may give up certain information but not give
Re:All our base are belong to them. (Score:4, Insightful)
I don't expect even encryption to help fully.
There are so many holes that are known today in various kinds of equipment that a focused operation could get through given enough time and resources.
Many companies also uses a proxy gateway where they re-package the encrypted https traffic so that they can scan for illegal stuff. The same can be done by malicious operators as well.
Re:All our base are belong to them. (Score:4, Informative)
This is why End To End (E2E) encryption is important. While it's not unbreakable with a suitably massive supercomputer, it requires enough resources that bulk decryption of traffic is impossible. Any surveillance needs to be targeted.
Scanning for illegal material has to be done in the app if E2E encryption is used, otherwise it's not E2E. Things like Skype do use an intermediary, they are not E2E. Look for apps that use the Signal protocol.
Re: (Score:2)
Unfortunately that's the problem today - how to detect that it's a real E2E encryption when the proxy emulated the certificate of the server you connect to. You'll only be able to see that if you inspect the complete certificate chain.
Re: (Score:2)
What does the server have to do with it? The point of E2E is that you don't have to trust anything but the other client.
Re: (Score:3)
It generally is run as an edge device.
It runs Linux and does depend on sk_buff which may be the worst code in history in terms of security. The endless opportunities available to perform kernel level buffer overflow attacks are scary. The kernel itself is pretty hardened by now, but if you check out driver source, it gets pretty bad. The Cisco UCS VIC drivers may be the most criminally awful code accepted into the kernel. If you can't identify
Re: (Score:2, Insightful)
The U.S. government cannot force companies to do this, and even software companies who did some minimal version of this were found out and now no one wants to buy them, so the practice has all but disappeared. The best the U.S. government can do these days is get warrants, which requires due process.
Sorry, but there is no equivalence here.
Cue the conspiratorial nonsense.
Re: All our base are belong to them. (Score:2, Informative)
They can, and do. Cisco and the NSA work closely together.
Re:All our base are belong to them. (Score:4, Funny)
The U.S. government cannot force companies to do this, and even software companies who did some minimal version of this were found out and now no one wants to buy them, so the practice has all but disappeared. The best the U.S. government can do these days is get warrants, which requires due process.
Sorry, but there is no equivalence here.
Cue the conspiratorial nonsense.
China must be so far ahead of the USA on this sort of thing. The USA, being the good guys, don't even have an offensive cyber capability.
And if you believe that, can I interest you in some cryptocurrency?
Re: (Score:2)
This is a backdoor in Cisco gear. The NSA is known to have malware targeting Cisco systems, thanks to Snowden.
It seems likely that the NSA knew about this and didn't tell Cisco, but instead quietly exploited it. Then the Chinese security services found it too.
In China they don't need exploits, they just ask for the data and the holder is obliged to hand it over. Exploits are only needed for foreign data, and conveniently other countries ripped out Huawei gear so they only need to target Cisco and other West
Re: (Score:2)
No, this isn't a hidden "back door" that NSA knows about. Access is gained via traditional methods to the network environment and the router. Think phishing, social engineering, etc. The normal stuff.
Custom firmware code is a rare skill, but using stolen digital code signing certificates is the magic sauce. That's not really a back door, that's the front door with a stolen master key. The system is working as it is designed to, and doing it securely.
Re: (Score:3)
Re: (Score:2)
California has outright outlawed it. Not sure when it goes into effect, but routers/waps can no longer ship with the same default usernames/passwords.
Re: (Score:2)
Re: (Score:2)
Cisco is a defense contractor [defense.gov], the idea that they're not working hand in hand with the NSA to perform unconstitutional spying is an absurd fantasy. Even if they didn't want to, they could be forced to in the interest of national security, but the fact is that Cisco has always been sleazy AF.
Re: (Score:1)
Oh, honey...
Re: All our base are belong to them. (Score:1)
Alternative strategies: Buy old &/or Open (Score:2)
Re:Alternative strategies: Buy old &/or Open (Score:5, Insightful)
Huwawei has been caught several times installing tiny, hidden chips in their routers after export controls have inspected them. That's why no one not in bed with Xi buys infrastructure from Chinese companies anymore. Their entire economy is an arm of the CCP and their is no comparison to anything any democratic government is doing.
Re: (Score:3)
Unfortunately a lot of well-known equipment is made in China or countries controlled by China.
Re: (Score:2)
Enjoying those checks?
Re: (Score:1)
Their entire economy is an arm of the CCP and their is no comparison to anything any democratic government is doing.
Is that why they're winning?
Re: (Score:2)
They're not.
Re: (Score:3)
No they haven't. There was some stuff printed in a few newspapers, but none of it was ever verified. In fact it looked extremely questionable, the chips in question not having enough connectivity to other devices to do anything use. If it was such a chip, it would have been easy to x-ray it, or decap it to see the die inside.
Don't misunderstand me, Huawei is legally required to assist the Chinese government if it asks, but the whole "spy chip" thing was BS. A far more likely attack vector would be to do wha
Re: (Score:2)
Enjoy those checks.
Huawei Sales? (Score:1)
Re: (Score:3)
This isn't about Huawei and new devices, but about devices compromised after sale. And the summary gives Cisco as an example. So more likely Cisco devices with security holes are exploited by this group.
From whence the attack? (Score:2)
Re: (Score:2)
But if an actor get access to your networked computer it wouldn't matter, to the router the one changing the firmware is local. Until the device reboots and kicks them off your network, but when it comes back he can just access the router directly, since that would be part of the change.
Re: (Score:2)
Who leaves any kind of admin access open to the internet?
An administrator who's relying on a firewall, possibly "cloud based", which has been compromised.
Used Cisco gear shouldn't be used at home (Score:5, Insightful)
Re: (Score:3)
It's a shame that Cisco gear can't be easily repurposed to run open source operating systems, although even then you would have issues with Cisco firmware being insecure.
Fortunately for home/small office stuff there are good alternatives now. You can get x86 router boards on AliExpress that run Coreboot, and use an open source OS like OpenWRT or pfSense.
Just following the NSA's example (Score:3)
Do you trust your Cisco router as much as your Huawei router?
Snowden confirmed it :
https://www.infoworld.com/arti... [infoworld.com]
but it seems that Cisco themselves were also moonlighting as backdoor installers :
https://www.tomshardware.com/n... [tomshardware.com]
Re: Just following the NSA's example (Score:2)
... And isn't it trivial to fake this news anyway?
Re: (Score:1)
Cisco routers? (Score:2)
Re: (Score:2)
Re: (Score:2)
An easy fix (Score:2)
If router manufacturers, could just make a hardware button (or switch) on the device that needed to be pressed (or set) when writing to the device. That way you needed someone on location to actually create these sort of backdoors.
Sure, it would be an inconvenience for those sysadmins working from home, but do you want your sysadmins to be a threat actor from abroad?
Do these things have proper security? (Score:2)
I saw a YouTube video of a Microsoft presentation where they were talking about all the security they have on the Xbox One to prevent piracy and cheating. The Microsoft guy was talking about things like hardware level crypto, proper hardware level secure boot, full verification that every single byte of code running on the machine comes from a source that has been digitally signed by Microsoft
Do vendors like Cisco produce devices that have that kind of strong security against unauthorized code execution eve
Re: (Score:3)
From the CISA advisory linked in the Ars article:
The actors also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect.
That's the magic sauce right there. What you're describing from Microsoft all relies on the code signing certificate being 100% secure. That's what determines "authorized" versus "unauthorized" code. The rest all comes into play AFTER that, physical access or not. Lose that signing cert, and ANYTHING can magically become "authorized" and that wonderful security chain is now working FOR the bad actors, not against them.
That's why the Solarwinds hack was so dev
So like the NSA does? (Score:3)
Lets be real here: All the NSA has is better control over the press and over what gets reported.
cisco? (Score:2)
"Thank you" (Score:2)
"For your support of the Uyghur ethnicity against the communist tyrants."
Just like US (Score:2)
Just preload it? (Score:2)
Ok, without too much aluminum deflector beanie, how difficult would it be for a gigantic network equipment manufacturer with dubious CCP regime ties to just delivers a similar feature preloaded on hardware shipped to government agencies and US infrastructure?
And how hard to hide or detect it?