Camaro Dragon APT Group Exploits TP-Link Routers With Custom Implant

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

A Chinese state-sponsored APT group known as Camaro Dragon has been observed exploiting TP-Link routers via a malicious firmware implant.

The findings come from security experts at Check Point Research (CPR) and were described in an advisory published by the company earlier today.

“The implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks,” wrote Itay Cohen, Radoslaw Madej and the CPR Threat Intelligence Team.

Further, the implant’s components are designed to be compatible with different firmware from various vendors.

“The implanted components were discovered in modified TP-Link firmware images. However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors,” wrote CPR.

“While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors.”

Still, CPR clarified that it is still uncertain how the firmware images are being installed on the infected routers, as well as how they are being used in real intrusions.

“It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication,” reads the technical write-up.

“The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.”

According to the researchers, the discovery is another instance of a recurring pattern among Chinese hackers to take advantage of network devices that are publicly accessible on the internet and manipulating the software or firmware within.

Read more on similar attacks: Cisco Warns of Critical Vulnerability in End-of-Life Routers

To defend against similar attacks, CPR recommended system defenders implement network protections, keep systems updated and change default credentials. 

A complete list of recommendations, as well as additional technical details about Horse Shell, is available in the advisory.

Editorial image credit: rafastockbr / Shutterstock.com

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Data Breach Exposes 300k Taxi Passengers’ Information
Report Suggests 93% of Breaches Lead to Downtime and Data Loss
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
BlackTech Targets Tech, Research, and Gov Sectors New ‘Deuterbear’ Tool
Intel and Lenovo BMCs Contain Unpatched Lighttpd Server Flaw

Leave a Reply

Your email address will not be published. Required fields are marked *