Joint Cybersecurity Advisory Warns of Chinese Threat Actors Modifying Router Firmware
A joint advisory from intelligence, cybersecurity, and law enforcement authorities in the US and Japan warns that cyber threat actors with ties to China’s government have been stealthily modifying Cisco IOS router firmware and taking advantage of routers’ domain-trust relationships to move/traverse from subsidiary organizations to primary target organizations. Cisco notes that “the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials.”
Make sure that you’re using strong credentials with your routers, limit which networks/interfaces they can be used from. You may want to leverage capabilities in your existing PAM solution to enforce how users connect, those passwords are managed and create a good record of all actions taken.
I am pretty hard on bombastic articles about “Cisco Critical Zero Days,” typically because they are usually around the SMB Routers. The following few articles will not be that. This is extraordinarily bad, and there needs to be an extremely high focus on these two articles. First, if you are a Cisco customer, look closely at your edge equipment. Make sure, make very sure, that your device has not been modified and that you know exactly what software was run. Protect your control planes. The attackers are getting in through weak passwords. Ensure your router's console logins are unavailable over the wider internet. This one is bad because it affects potentially even ISP customers. The way it is working is very well done. The attackers are downgrading the firmware, using a vulnerability in the firmware (it appears), and using a bug in that firmware to load and replace the bootloaders to not correctly check the boot anchors. They are then able to load their firmware that enables backdoors. The backdoors leverage EEM and can be opened and closed via TCP / UDP packets. Based on the amount of knowledge you need to be able to pull this off, this, on the surface, appears to be a very sophisticated threat actor.
If a thief has a key to your house, then it becomes quite easy to break in and cause mischief. That adage applies here when it comes to digital credentials. Further, the 2023 Verizon DBIR highlighted that credential leaks continue to be a major issue. The best mitigation is implementation of Multi-Factor Authentication (MFA). It is very effective in limiting the effectiveness of attacks that lead to credential theft.
Read more in
Security Week: Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
Bleeping Computer: US and Japan warn of Chinese hackers backdooring Cisco routers