Devices on the border between the internet and an internal corporate network — especially those responsible for security and network traffic management — are often a priority target for attackers. They arouse no suspicion when sending large volumes of traffic outward, and at the same time have access to the organization’s resources and to a significant portion of internal traffic. Note also that network activity logs are often generated and stored on these devices, so if the router is compromised, attackers can just erase traces of their malicious activity.
This is why router compromise has become the crown jewels of big-name APTs such as Slingshot, APT28, and Camaro Dragon. But these days far less sophisticated actors can utilize it too, especially if the target company uses outdated, unofficially supported, or small/home office router models.
Attacks on routers and firewalls typically exploit vulnerabilities, which are discovered, alas, with great regularity. Sometimes such vulnerabilities are so serious — yet also so handy for attackers — that some experts wonder whether the backdoors might have been placed in the respective device firmware deliberately. But even if all known vulnerabilities are fixed, various configuration errors, or just incurable features of older router models, can lead to infection. U.S. and Japanese cybersecurity agencies recently published a detailed advisory on an advanced attack of this kind, centered on the activities of the BlackTech (aka T-APT-03, Circuit Panda, and Palmerworm) APT group. The analysis covers the group’s TTP within the infected network, but our focus will be on the most interesting aspect of the report — the malicious firmware.
BlackTech attack on the weak link in corporate defenses
The attack begins with an assault on the target company by infiltrating one of its regional branches. BlackTech actors employ traditional tactics for this, from phishing to exploiting vulnerabilities — with the router attack not yet underway. They take advantage of the fact that branch offices often use simpler hardware and have less rigid IT and infosec policies.
BlackTech then expands its presence in the branch’s network and obtains administrative credentials for the router or firewall. Armed with these, the intruders reflash the edge device with malicious firmware and use its trusted status to launch an attack on the headquarters.
Router compromise mechanics
First, legitimate but outdated firmware is loaded onto the device. Right after rebooting, the hackers modify the program loaded into the device RAM (by hot patching) to disable security features that would normally prevent loading of the modified components (ROMmon). It’s to perform this trick that the old version of the firmware must first be run. After disabling the ROMmon, the modified firmware (and in some cases a modified device bootloader) is uploaded to the router. After another reboot, the router is fully under the attackers’ control.
The modified firmware listens to traffic in anticipation of the “magic” packet that will activate the backdoor. On receipt of this packet, the device gives the attackers full control over its functions, despite them not being on the Access Control List, and allows connection to an SSH session with a specific username but without requiring a password. This user’s actions aren’t logged.
How attackers exploit the router
Malicious router firmware not only provides the intruders with a secure foothold in the target network, but also helps solve a whole range of tactical problems by:
- Concealing configuration changes;
- Not logging attacker commands and actions;
- Blocking execution of some legitimate commands in the router console, hindering incident investigation.
The report focuses on malicious firmware for Cisco routers on the IOS platform, but mentions that BlackTech compromises other models of network equipment in a similar manner. We should add that previous incidents of edge-device compromise affected the Fortinet, SonicWall, TP-Link, and Zyxel brands.
Countering attacks on routers and firewalls
Clearly, an organization is at risk if it uses outdated models of edge network-devices, outdated firmware, or unofficial firmware (this applies not only to Cisco equipment). However, even a new router with fresh firmware can become a useful tool for an attacker, so the various recommendations of the report authors are worth implementing in every network.
Place administrative systems on a separate virtual local area network (VLAN). Block all unauthorized traffic from network devices destined for non-administrative VLANs.
Limit access to administration services to the IP addresses of authorized administrators. Access lists can be applied to all virtual teletype (VTY) lines and specific administrative services. For Cisco routers, it’s recommended to restrict communication with external systems for VTYs using the “transport output none” command.
Monitor both successful and unsuccessful attempts at accessing router administration.
Regularly review network device logs for events such as unexpected reboots, OS version changes, configuration changes, or firmware update attempts. Cross-check against the IT department’s software update plans to ensure each event has been authorized.
Monitor “strange” incoming and outgoing network connections from edge devices. Normally, network devices share routing and network topology information only with nearby devices, and administration, monitoring, authentication, and time synchronization are conducted only with a small number of administrative computers.
Change all passwords and keys at the slightest suspicion that even one password has been compromised.
Upgrade the hardware. Perhaps the most difficult and frustrating of the recommendations. Organizations using outdated models that don’t support secure boot technologies are advised to plan and budget for upgrading this hardware in the shortest time possible. When choosing new equipment, preference should be given to vendors that implement secure development methodologies and a secure-by-design approach.