On September 27, 2023, The U.S. National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japanese National Police Agency (NPA), and the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a joint cybersecurity advisory (CSA) concerning the recent activity of a threat actor, known as BlackTech, that has been linked to the People’s Republic of China (PRC). The CSA states that Blacktech is using a technique—manipulating router firmware without detection—to target a wide variety of entities including in government, industrial, technology, media, and telecommunications sectors. This includes multiple entities that support the Japanese and United States militaries.
The CSA also explains that BlackTech has developed the capability of evading detection by using “living off the land” tactics, techniques, and procedures (“TTPs”) to disguise its operations and blend in with normal system activities—allowing it to avoid detection by traditional endpoint detection and response products. Once BlackTech gains a foothold into a targeted network, it modifies router firmware to hide its activity, and then it subsequently targets routers in smaller branch offices in order to connect to the headquarters network. BlackTech can then covertly change network configuration and disable logging while its actors conduct operations to deny legitimate network services— or potentially even extract data through a pre-established backdoor.
The CSA recommends several mitigation techniques. These include:
· Disabling outbound connections by applying the “transport output none” configuration command to the virtual teletype (VTY) lines.
· Monitoring both inbound and outbound connections from network devices to both external and internal systems.
· If feasible, blocking unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices.
· Limiting access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services.
· Monitoring logs for successful and unsuccessful login attempts with the “login on-failure log” and “login on-success log” configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.
· Upgrading devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. Replacing all end-of-life and unsupported equipment as soon as possible should be highly prioritized.
· Changing all passwords and keys when there is a concern that a single password has been compromised.
· Reviewing logs generated by network devices and monitoring for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware, and then comparing against expected configuration changes and patching plans to verify that the changes are authorized.
· Periodically performing both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.
· Monitoring for changes to firmware and periodically taking snapshots of boot records and firmware and comparing against known good images.