Cyber Threat Report: 'People's Republic of China-Linked Cyber Actors Hide in Router Firmware'

This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as BlackTech. According to the advisory, BlackTech has targeted multiple sectors including government, industrial, technology, media, electronics, and telecommunication in the U.S. and Japan. The group uses custom malware, dual-use tools, and 'living off the land' tactics to modify router firmware and exploit domain-trust relationships for pivoting within networks. The advisory outlines TTPs and IoCs and provides recommended mitigations to detect and protect organizations against the threat from BlackTech actors.

Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

Boot Integrity

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Password Policies

Set and enforce secure password policies for accounts.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Environment Variable Permissions

Prevent modification of environment variables by unauthorized users and groups.