US and Japan warn of CCP hackers backdooring Cisco routers

[duluxe]

https://www.bleepingcomputer.com/ne...of-chinese-hackers-backdooring-cisco-routers/

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks.

The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-sponsored Chinese APT group (advanced persistent threat) known for conducting cyber espionage attacks on Japanese, Taiwanese, and Hong Kong-based entities since at least 2010.

The sectors BlackTech targets include government, industrial, technology, media, electronics, telecommunication, and the defense industry.

Custom malware on network devices​

The FBI notice warns that the BlackTech hackers use custom, regularly updated malware to backdoor network devices, which are used for persistence, initial access to networks, and to steal data by redirecting traffic to attacker-controlled servers.

The advisory warns that the custom malware is sometimes signed using stolen code-signing certificates, making it harder for security software to detect.

By leveraging stolen admin credentials, the attackers compromise a broad range of router brands, models, and versions, establish persistence, and move laterally on the network.

 

[duluxe]

Defense recommendations​

The advisory advises system administrators to monitor for unauthorized downloads of bootloader and firmware images and unusual device reboots that could be part of loading modified firmware on routers.

SSH traffic observed on the router should also be treated with high suspicion.

The following mitigation practices are recommended:

• Use the "transport output none" command to prevent unwanted external connections.
• Oversee inbound/outbound traffic on devices, especially unauthorized access, and segregate administrative systems with VLANs.
• Only permit specific IP addresses for network administrators and track login attempts.
• Transition to devices with advanced secure boot and prioritize updating outdated equipment.
• Act promptly to change all passwords and keys when a breach is suspected.
• Scrutinize logs for anomalies like unexpected reboots or configuration changes.
• Utilize the Network Device Integrity (NDI) Methodology to detect unauthorized alterations.
• Compare boot records and firmware to trusted versions routinely.

Cisco has also published a security advisory on the topic, highlighting that there's no indication that BlackTech leverages a vulnerability in its products or a stolen certificate to sign its malware.

Also, Cisco notes that the attack method that involves downgrading the firmware to bypass security measures only applies to older, legacy products.

The targeting of network devices has seen an uptick over the past year, with Chinese-aligned threat actors also targeting Fortinet, TP-Link, and SonicWall network devices with custom malware.

The US, UK, and Cisco warned in April of attacks on Cisco iOS devices by the Russian APT28 (Fancy Bear, STRONTIUM) state-sponsored hacking group, which deployed custom malware to steal data and pivot to internal devices.

As edge network devices do not commonly support EDR (Endpoint Detection and Response) security solutions, they are prime targets for threat actors to use for data theft and initial access to a network.

"There's a recurring theme of continued China-nexus cyber espionage focus on network appliances, IOT devices, etc. that don't support EDR solutions," Mandiant CTO Charles Carmakal told BleepingComputer in May.

Therefore, network admins must install all available security patches on edge devices as soon as they become available and not publicly expose management consoles.

 

[laksaboy]

Should have thought of this day before letting that trashy country join the WTO in 2001. You lusted for the 'big China market' and cheap China sweatshops to manufacture your crap.

And fuck you Jewish globalists/bankers, who are the biggest CCP cheerleaders. LKY's buddy Kissinger, BlackRock's Larry Fink etc.


https://jewishjournal.com/news/worldwide/179731/

https://www.timesofisrael.com/how-a...kbone-of-revolutionary-chinas-medical-system/

https://www.haaretz.com/2012-07-27/...with-mao/0000017f-f082-d8a1-a5ff-f08aa3230000

https://forward.com/schmooze/159051/a-jew-in-maos-china/

A Jew in Mao's China

Until I saw the documentary “The Revolutionary” at the Philadelphia Independent Film Festival, I mistakenly thought that China during the revolutionary period was one country that had not felt the Jewish embrace. In fact, 85 to 90% of the foreigners helping the Chinese at the time of the Communist takeover were Jewish. This included the daughter of the founder of the brokerage firm Goldman Sachs, who left the comfort of her Park Avenue home to assist the Chinese.

 

[Betsycrant]

Cybersecurity incident readiness is about preventing breaches and being prepared for the worst-case scenarios. For instance, having a solid cyber security incident readiness ir service in place can be a game-changer because, let's face it, no matter how many precautions we take, there's always a chance of something slipping through the cracks. I particularly resonate with the point about educating users. It's not just about fortifying our defenses but also empowering the people who interact with our platform. Cyber security is a shared responsibility, after all. So, kudos on highlighting that.