The US government warns about the China-affiliated Blacktech hacker gang that replaces firmware in edge devices with its own backdoor version. Cisco routers are particularly vulnerable.
The American NSA, FBI, supervisory authority CISA and the Japanese police warn about the activities of the Blacktech hacker gang. This gang, which is said to be affiliated with the Chinese government, mainly carries out attacks on targets in the United States and Japan.
In their attacks, the hackers target edge devices, such as routers. They seek admin access and replace the existing firmware on the routers with their own version. This modified firmware version ensures that the attacks remain hidden from detection and persistent access.
Blacktech attack techniques
More specifically, Blacktech hackers first install an old legitimate firmware version on the devices they gain access to, which is modified in memory.
This allows the installation of a custom unvalidated bootloader which in turn installs the custom unvalidated rogue firmware. The custom bootloader should avoid detection.
The hackers also use so-called Embedded Event Manager (EEM) policies to avoid detection. Manipulates the results of CLI commands.
Cisco routers often targeted
Most of the routers hacked by the Chinese attackers often appear to be Cisco routers. According to the security services, routers and edge devices from other manufacturers can also be targeted.
Cisco has indicated in a statement that its routers are indeed targeted by the Blacktech gang. The reason for this preference is that its routers are sensitive to weak and stolen passwords.
Cisco does not yet have any indication that the vulnerabilities have been exploited to steal data. Only adjustments would have been made at admin level to the affected devices.
In addition, the attacks only targeted legacy Cisco routers, as modern devices have secure boot functionality that makes loading and running custom software images impossible. Also, no Cisco certificates were allegedly misused.
Balcktech’s malware can be combated by applying various best practices, the security organizations and Cisco indicate.
This includes regularly monitoring firmware changes, performing file and memory verification, but also checking logs for unauthorized restarts or version changes, checking incoming and outgoing connections to the routers and disabling outgoing connections.