Site icon GIXtools

Reports about Cyber Actors Hiding in Router Firmware

On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection.

For a description of this report, see People’s Republic of China-Linked Cyber Actors Hide in Router Firmware.

Cisco has reviewed the report. Cisco would like to highlight the following key facts:

The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials.
There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes.
Installing compromised software by first downgrading to older firmware is not allowed in modern Cisco routers, which support secure boot. The technique that is described in the report is possible only with legacy devices. For more details, see the Cisco blog post Attackers Continue to Target Legacy Devices.
The stolen code-signing certificates mentioned in the report are not from Cisco. Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices. 

These key points here align with Cisco’s consistent stance and messaging that advises customers to follow best practices as described in the aforementioned blog post.

Modern network infrastructure devices now contain numerous security features and capabilities that mitigate the aforementioned attacks. The Cisco Secure Development Lifecycle (SDL) applies industry-leading practices and technology to build trustworthy solutions that have fewer field-discovered product security incidents. As part of our ongoing commitment to network reliability, Cisco has recently launched an effort focused on network resiliency. For more information on this effort, see the Cisco Network Resilience portal.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023

Security Impact Rating: Informational

Source:: Cisco Security Advisories

Exit mobile version