Alert: Chinese Hackers Exploit Zero-day Vulnerability in Cisco Routers

On July 2, 2024, Cisco issued a critical security alert regarding a major vulnerability in its routers exploited by Chinese hackers. The vulnerability, CVE-2023-20109, affects Cisco NX-OS software, allowing attackers to execute arbitrary commands with elevated privileges due to insufficient input validation of user-supplied data.

Exploitation methods

The BlackTech state group, also known by aliases such as Palmerworm, Circuit Panda and Radio Panda, has been identified as the main actor in these attacks. BlackTech has a history of targeting government, industry, technology, media, electronics, telecommunications and defense sectors. In its current campaign, it uses custom malware to modify Cisco router firmware and activate SSH backdoors via specially crafted TCP or UDP packets. This method enables them to maintain permanent access while evading detection.

The group’s tactics involve replacing the device’s original firmware with malicious versions, signed using stolen code-signing certificates. This makes it difficult for security software to detect the modifications. Attackers often gain initial access using stolen administrative credentials, obtained through phishing campaigns. Once inside, they establish persistence by disabling logging and modifying firmware to include backdoors that can be activated as required.

Technical details

After gaining access, BlackTech modifies the router’s firmware to conceal its activity. This includes modifying the router’s configuration and history of commands executed, disabling logging and using compromised devices as part of their infrastructure to proxy traffic, blend in with corporate network traffic and pivot to other victims on the same network. In particular, they target branch routers, small devices used in remote offices to connect to corporate headquarters, in order to extend their hold on the organization.

In addition, attackers patch the memory of Cisco devices to bypass signature validation functions, enabling them to load modified firmware with built-in backdoors. They also modify EEM policies used for task automation, removing certain strings from legitimate commands in order to block their execution and hinder forensic analysis.

Impact of exploitation

The impact of this exploit is profound. Attackers can disrupt network operations, exfiltrate sensitive data and establish persistent access for future attacks. This is a significant threat to affected organizations, particularly those working in sectors critical to national security and infrastructure.

Cisco points out that while attackers require initial authentication, they often use stolen credentials and phishing campaigns to circumvent this requirement. Exploiting this vulnerability allows attackers to take control of the device and move laterally in the network, increasing potential damage.

Mitigation strategies

Cisco strongly recommends several measures to mitigate this vulnerability:

  1. Apply patches: Ensure that all affected Cisco devices are updated with the latest patches provided by Cisco.
  2. Implement strong access controls: Use multi-factor authentication (MFA) and restrict access based on strict identity verification.
  3. Monitor network traffic: Constantly watch for anomalies and signs of compromise. This includes looking for unauthorized downloads of bootloader and firmware images, unusual device reboots and unexpected SSH traffic.
  4. Improve security practices: Develop robust incident response plans, and regularly review and update security protocols. Companies should also upgrade to devices with advanced secure boot features, and regularly review logs for unauthorized access attempts.

The exploitation of Cisco routers by Chinese hackers highlights the evolving nature of cyber threats and the need for proactive cybersecurity measures. By staying informed and implementing recommended security practices, organizations can better protect their networks against such sophisticated attacks.

Photo credits: Hokmiran; AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Stan Deberenx

Stan Deberenx is the Editor-in-Chief of Defensorum. Stan has many years of journalism experience on several publications. He has a reputation for attention to detail and journalist standards. Stan is a literature graduate from Sorbonne University, with a master's degree in management from Audencia/University of Cincinnati.