cyware.com
Open in
urlscan Pro
15.197.166.200
Public Scan
Submitted URL: https://ift.tt/HR3OUos
Effective URL: https://cyware.com/news/blacktech-apt-breaks-in-cisco-routers-targets-us-and-japanese-companies-8e3cd028/?web_view=...
Submission: On September 29 via manual from SG — Scanned from SG
Effective URL: https://cyware.com/news/blacktech-apt-breaks-in-cisco-routers-targets-us-and-japanese-companies-8e3cd028/?web_view=...
Submission: On September 29 via manual from SG — Scanned from SG
Form analysis 1 forms found in the DOM
<form class="form-inline" data-hs-cf-bound="true"><input type="text" placeholder="Search Topic, Events" value="" class="mr-sm-2 mr-md-0 w-100 bg-lighter border-lighter py-3 pr-5 form-control form-control-sm" id="__BVID__23">
<a class="cursor-pointer position-absolute" style="right:35px;"><i class="icon icon-search"></i></a></form>Text Content
* Alerts * Events * DCR * * Explore Cyware Products Alerts Events DCR Go to listing page BLACKTECH APT BREAKS IN CISCO ROUTERS, TARGETS U.S. AND JAPANESE COMPANIES * Threat Actors * September 29, 2023 * Cyware Alerts - Hacker News * * * * * A Chinese state-sponsored APT called BlackTech has been found breaking into network routers to remain undetected and stealthily move across a variety of organizations. In a joint advisory issued by the NSA, the FBI, the CISA, and Japan’s NISC, the agencies disclosed that the group has been launching such attacks since 2010 and, lately, has been modifying Cisco router firmware to conceal its activity while targeting companies based in the U.S. and Japan. INFECTION METHOD * BlackTech actors often focus on branch routers (typically smaller appliances used at remote branch offices) and take advantage of the trusted connections between a victim and other entities to expand their access to the targeted networks. * In particular, once they gain initial access and administrator privileges on network edge devices, they often modify the firmware to conceal their activities and maintain persistence on the network. * According to the advisory, the attackers compromised several Cisco routers using variations of a customized firmware backdoor that could be enabled and disabled through specially crafted TCP or UDP packets. * In some cases, the group has been caught replacing the firmware for certain Cisco IOS-based routers with malicious versions to establish persistent backdoor access and obfuscate malicious activity. ABOUT BLACKTECH * The group uses custom malware, dual-use tools, and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. * Over the years, the group has continuously updated its evasion tools and now uses stolen code-signing certificates to make its malicious software look legitimate. * The advisory states that BlackTech has become skilled at seamlessly integrating its actions with regular network operations, enabling it to avoid detection by endpoint detection solutions and other security measures. GLOBAL REACH OF CHINESE THREAT ACTORS * The advisory comes after recent updates from cybersecurity firms about the activities of China-based hackers. * Insikt Group tracked a multi-year Chinese state-sponsored cyberespionage campaign by the TAG-74 group targeting South Korean academic, political, and government organizations. * Volexity identified a five-year-long campaign by the EvilBamboo group targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represented three of the so-called “Five Poisons” of the Chinese Communist Party. * Separately, Proofpoint highlighted a worrying increase in activity from specific malware families targeting Chinese-language speakers. A new ValleyRAT malware was found being distributed alongside Sainbox RAT and Purple Fox malware onto the victim’s systems. CONCLUSION Upon reviewing the findings of the latest BlackTech APT campaign, Cisco confirmed that there is no indication that any vulnerabilities in its networking devices were exploited. While legacy devices are vulnerable to these attacks, modern Cisco devices including secure boot capabilities are safe as they do not allow the loading and execution of modified software images. * BlackTech APT group * EvilBamboo * Chinese APT * Cisco Router Publisher CYWARE Next CANNOT DEPEND ON DEPENDABOT: FOUND CONTRIBUTING MALICIO ... Malware and Vulnerabilities -------------------------------------------------------------------------------- CATEGORIES Expert Blogs and Opinion Innovation and Research The Hacker Tools Incident Response, Learnings Malware and Vulnerabilities Breaches and Incidents Laws, Policy, Regulations Companies to Watch Trends, Reports, Analysis Strategy and Planning Mobile Security Govt., Critical Infrastructure Identity Theft, Fraud, Scams Security Culture New Cyber Technologies Major Events Cyber Glossary Threat Actors Security Products & Services Threat Intel & Info Sharing Emerging Threats Geopolitical, Terrorism Internet-of-Things Computer, Internet Security Social Media Threats Security Tips and Advice Interesting Tweets Marketplace Did You Know? Physical Security RESOURCES Cyber Fusion Center Guide EVENTS Conference Webinar Summit Course Symposium Talk Seminar Others -------------------------------------------------------------------------------- News and Updates, Hacker News Get in touch with us now! 1-855-692-9927 -------------------------------------------------------------------------------- Download Cyware Social App Terms of Use Privacy Policy © 2023