A Chinese government-backed APT group known as Camaro Dragon has been observed exploiting TP-Link routers via malicious firmware implants.
The findings, by security experts at Check Point Research (CPR), are contained in an advisory published by the company today.
“This implant contains a custom backdoor named ‘Horse Shell’ that allows attackers to maintain persistent access, build anonymous infrastructure, and move laterally into compromised networks. It contains several malicious components, including,” wrote Itay Cohen, Radoslaw Madej, and the CPR Threat Intelligence Team. .
Additionally, the implant’s components are designed to be compatible with different firmwares from different vendors.
“Embedded components were found in modified TP-Link firmware images. However, they were created in a firmware-independent manner and are not specific to any particular product or vendor. As a result , different firmware from different vendors may contain them,” CPR wrote.
“Although we have no concrete evidence of this, past incidents have demonstrated similar implants and backdoors have been deployed in various routers and devices from various vendors.”
Still, CPR clarified that it is still unclear how the firmware images are installed on infected routers and how they are used in actual intrusions.
“These devices may have been accessed by scanning for known vulnerabilities or by targeting devices that use default passwords or weak and easily guessed passwords for authentication,” the technical document states. It is written
“It appears that the attacker’s goal is to create a chain of nodes between the main infection and the actual command and control. There is a possibility.”
The findings are another example of a recurring pattern among Chinese hackers of exploiting publicly accessible network devices on the Internet to manipulate the software and firmware inside, the researchers said. It is said that there is
For more information on similar attacks, see Cisco Critical Vulnerability Warning in End-of-Life Routers.
To defend against similar attacks, CPR recommends system defenders implement network protections, keep systems up to date, and change default credentials.
A complete list of recommendations and additional technical details regarding Horse Shell are available in the advisory.
Editorial image credit: rafastockbr / Shutterstock.com
