On July 2, 2024, Cisco issued a critical security alert regarding a major vulnerability in its routers exploited by Chinese hackers. The vulnerability, CVE-2023-20109, affects Cisco NX-OS software, allowing attackers to execute arbitrary commands with elevated privileges due to insufficient input validation of user-supplied data.
Exploitation methods
The BlackTech state group, also known by aliases such as Palmerworm, Circuit Panda and Radio Panda, has been identified as the main actor in these attacks. BlackTech has a history of targeting government, industry, technology, media, electronics, telecommunications and defense sectors. In its current campaign, it uses custom malware to modify Cisco router firmware and activate SSH backdoors via specially crafted TCP or UDP packets. This method enables them to maintain permanent access while evading detection.
The group’s tactics involve replacing the device’s original firmware with malicious versions, signed using stolen code-signing certificates. This makes it difficult for security software to detect the modifications. Attackers often gain initial access using stolen administrative credentials, obtained through phishing campaigns. Once inside, they establish persistence by disabling logging and modifying firmware to include backdoors that can be activated as required.
Technical details
After gaining access, BlackTech modifies the router’s firmware to conceal its activity. This includes modifying the router’s configuration and history of commands executed, disabling logging and using compromised devices as part of their infrastructure to proxy traffic, blend in with corporate network traffic and pivot to other victims on the same network. In particular, they target branch routers, small devices used in remote offices to connect to corporate headquarters, in order to extend their hold on the organization.
In addition, attackers patch the memory of Cisco devices to bypass signature validation functions, enabling them to load modified firmware with built-in backdoors. They also modify EEM policies used for task automation, removing certain strings from legitimate commands in order to block their execution and hinder forensic analysis.
Impact of exploitation
The impact of this exploit is profound. Attackers can disrupt network operations, exfiltrate sensitive data and establish persistent access for future attacks. This is a significant threat to affected organizations, particularly those working in sectors critical to national security and infrastructure.
Cisco points out that while attackers require initial authentication, they often use stolen credentials and phishing campaigns to circumvent this requirement. Exploiting this vulnerability allows attackers to take control of the device and move laterally in the network, increasing potential damage.
Mitigation strategies
Cisco strongly recommends several measures to mitigate this vulnerability:
- Apply patches: Ensure that all affected Cisco devices are updated with the latest patches provided by Cisco.
- Implement strong access controls: Use multi-factor authentication (MFA) and restrict access based on strict identity verification.
- Monitor network traffic: Constantly watch for anomalies and signs of compromise. This includes looking for unauthorized downloads of bootloader and firmware images, unusual device reboots and unexpected SSH traffic.
- Improve security practices: Develop robust incident response plans, and regularly review and update security protocols. Companies should also upgrade to devices with advanced secure boot features, and regularly review logs for unauthorized access attempts.
The exploitation of Cisco routers by Chinese hackers highlights the evolving nature of cyber threats and the need for proactive cybersecurity measures. By staying informed and implementing recommended security practices, organizations can better protect their networks against such sophisticated attacks.
Photo credits: Hokmiran; AdobeStock
