A Chinese state-sponsored APT group known as Camaro Dragon has been observed exploiting TP-Link routers via a malicious firmware implant.
The findings come from security experts at Check Point Research (CPR) and were described in an advisory published by the company earlier today.
“The implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks,” wrote Itay Cohen, Radoslaw Madej and the CPR Threat Intelligence Team.
Further, the implant’s components are designed to be compatible with different firmware from various vendors.
“The implanted components were discovered in modified TP-Link firmware images. However, they were written in a firmware-agnostic manner and are not specific to any particular product or vendor. As a result, they could be included in different firmware by various vendors,” wrote CPR.
“While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors.”
Still, CPR clarified that it is still uncertain how the firmware images are being installed on the infected routers, as well as how they are being used in real intrusions.
“It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication,” reads the technical write-up.
“The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.”
According to the researchers, the discovery is another instance of a recurring pattern among Chinese hackers to take advantage of network devices that are publicly accessible on the internet and manipulating the software or firmware within.
To defend against similar attacks, CPR recommended system defenders implement network protections, keep systems updated and change default credentials.
A complete list of recommendations, as well as additional technical details about Horse Shell, is available in the advisory.
Editorial image credit: rafastockbr / Shutterstock.com