BlackTech APT Hackers Attacking Network Routers to Breach Corporate Networks

Hackers called BlackTech APT have been doing bad things since 2010. They attack places like the government, factories, technology, media, electronics, phones, and the military.

The group behind the attack employs custom-made malicious software, tools that can be used for both good and bad purposes, and cunning techniques that involve leveraging the resources that already exist within a system, like turning off data recording capabilities on routers, all in an effort to mask their activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Japan National Police Agency (NPA) demonstrated the capabilities of BlackTech in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S.

BlackTech actors continue to update their tools to evade detection, and they also steal code-signing certificates to make their malware appear legitimate.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

BlackTech Malware Attack

The actors are known for using custom malware payloads and remote access tools (RATs) to target victims’ operating systems.

Their custom malware supports multiple operating systems, including Windows®, Linux®, and FreeBSD® operating systems.

BlackTech actors use living off-the-land TTPs to blend in with standard operating systems and network activities, allowing them to evade detection by endpoint detection and response (EDR) products.

Their current campaign targets international subsidiaries of the U.S. and Japanese companies.

Once they gain access to subsidiaries’ internal networks, they can infiltrate from subsidiaries to headquarters’ networks.

“BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks,” reads the report.

BlackTech took advantage of multiple router brands and versions, such as Cisco and other vendors.

In the case of Cisco routers, the actors hide their presence in Embedded Event Manager (EEM) policies used in Cisco IOS to automate tasks that execute upon specified events.

CISA and NPA shared mitigation steps to mitigate this BlackTech malicious activity. The Agencies strongly recommend network defenders monitor the unusual traffic, unauthorized downloads of bootloaders, firmware images, and reboots

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.