Firmware Espionage: Delving into BlackTech's Covert Cyber Operations

Introduction

In an age where our world relies heavily on technology, the security of our digital infrastructure becomes a matter of utmost concern. Recently, a joint cybersecurity advisory from several prominent agencies, including the United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), has exposed a significant cybersecurity threat: BlackTech, a group of cyber actors linked to the People’s Republic of China. BlackTech has demonstrated extraordinary abilities not only in modifying router firmware undetectably but also in exploiting routers’ domain-trust relationships for their malicious activities.

In this blog post, we will delve into the specifics of this advisory, dissecting the tactics, techniques, and procedures (TTPs) employed by BlackTech. We will also discuss recommended mitigations to safeguard your devices from the insidious backdoors that BlackTech leaves behind.

Unmasking BlackTech

BlackTech is a cyber threat group believed to have ties to the People's Republic of China. Since their emergence in 2010, BlackTech has consistently targeted a wide spectrum of organizations, ranging from government entities to industrial sectors, technology firms, media outlets, and telecommunication providers. Their targets even extend to entities that provide support to the military forces of both the United States and Japan.

Tactics and Techniques

BlackTech relies on a repertoire of TTPs that include custom malware, dual-use tools, and living off the land tactics. Notably, they are adept at disabling logging on routers, a tactic that allows them to operate covertly. Some of the prominent custom malware families employed by BlackTech include BendyBear, BTSDoor, PLEAD, and WaterBear. These tools are continuously refined to evade detection, and the group employs stolen code-signing certificates to lend an air of legitimacy to their payloads.

The group leverages living off the land techniques to seamlessly blend with normal network activities, effectively eluding detection by endpoint detection and response (EDR) products. These techniques involve tactics like NetCat shells, registry modifications on victim machines, and the use of secure shell (SSH) for achieving persistence on a host.

Pivoting from International Subsidiaries

BlackTech's ability to pivot from international subsidiaries to infiltrate an organization's central headquarters is a distinguishing feature of their operations. This maneuver is executed by exploiting trusted network relationships established between targeted victims and other entities. To do so, BlackTech focuses on branch routers, often compact appliances used at remote branch offices to connect with corporate headquarters. By compromising these routers, the group gains access to trusted relationships within the corporate network, which in turn enables them to proxy traffic and pivot further.

Maintaining Access through Stealthy Router Backdoors

The group's proficiency in targeting and exploiting various router brands and versions is evident in their tactics. By targeting routers, BlackTech conceals configuration changes, hides commands, and disables logging while they carry out their operations. In some instances, they go so far as to replace router firmware with malicious alternatives to establish persistent backdoor access.

The modified firmware they employ typically features a built-in SSH backdoor, providing them with persistent access to compromised routers without leaving traces in connection logs. Additionally, BlackTech manipulates Embedded Event Manager (EEM) policies to obfuscate changes made to compromised routers.

Detection and Mitigation

Detecting and countering BlackTech's malicious activities present considerable challenges, but they are essential. To protect against these threats, the advisory provides several recommended mitigation techniques:

Disable Outbound Connections: Implement the "transport output none" configuration command on virtual teletype (VTY) lines to block outbound connections.

Monitor Network Traffic: Vigilantly monitor both inbound and outbound connections from network devices to identify unusual patterns and unauthorized connections.

Restrict Access: Limit access to administration services and permit only authorized IP addresses by applying access lists to the VTY lines or specific services.

Upgrade Devices: Prioritize the replacement of outdated equipment with devices featuring secure boot capabilities, enhanced integrity checks, and authenticity verification for bootloaders and firmware.

Password Changes: In the event of a compromised password, change all passwords and keys associated with network devices.

Log Review: Routinely review logs generated by network devices for unauthorized reboots, changes in operating system versions, configuration alterations, or firmware updates.

Verification of Network Device Integrity: Periodically conduct file and memory verification to detect unauthorized changes to the software running on network devices.

Firmware Monitoring: Monitor firmware changes and maintain snapshots of boot records and firmware for comparison against known good images.

Conclusion

The threat posed by BlackTech underscores the ever-evolving cybersecurity landscape. As these actors continue to innovate and refine their tactics, organizations and individuals must remain vigilant and adopt robust security measures. By following the recommended mitigation techniques and staying informed about emerging threats, we can bolster our defenses against malicious actors like BlackTech and protect our digital infrastructure effectively.

Source: Cybersecurity & Infrastructure Security Agency