OVERKILL
$100 Site Donor 2021
In May of last year Check Point, a name most should be familiar with as a firewall and security company, released the following report:
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research
By monitoring targeted attack traffic, it was traced back to Chinese Nationals, a hacking group called "APT" that Check Point tracks as "Camaro Dragon".
The source? A malicious firmware implant for TP-Link routers (a Chinese company) that creates a persistent back door and allows access to an extensive portfolio of features that enable movement into the device's now compromised host network. Beyond the basic shell functionality, other features, such as being able to tunnel through this device to obfuscate traffic are also present. They can also upload/download files, which means additional applications, and thus functions, could be added to the device over time.
While this discovery was restricted to TP-Link devices, the implant itself has platform-agnostic code, so it could be modified to work on other vendor's firmware, assuming the same vulnerability that allows for implant is present.
While the modified full firmware images they were able to acquire were for old (2014) devices, the implant is not limited to these, they are just the samples obtained. Check Point has not yet determined how devices are being infected but assume, quite reasonably, that it's through an existing vulnerability:
While this exploit is specific to TP-Link devices, it is important to keep in mind that it could be easily ported to others, provided a similar means of injection exists. This underscores the ongoing challenges with consumer network gear where the placement of a device designed to be manufactured as cheaply as possible on the perimeter, and with few resources allocated to not only software R&D, but in staying on top of the security of that software after the fact, presents what amounts to a considerable attack surface. With "cloud tied" services now also being (poorly) implemented on these products, it is likely that we will see the list of ongoing vulnerabilities and exploits grow, rather than shrink.
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant - Check Point Research
By monitoring targeted attack traffic, it was traced back to Chinese Nationals, a hacking group called "APT" that Check Point tracks as "Camaro Dragon".
The source? A malicious firmware implant for TP-Link routers (a Chinese company) that creates a persistent back door and allows access to an extensive portfolio of features that enable movement into the device's now compromised host network. Beyond the basic shell functionality, other features, such as being able to tunnel through this device to obfuscate traffic are also present. They can also upload/download files, which means additional applications, and thus functions, could be added to the device over time.
While this discovery was restricted to TP-Link devices, the implant itself has platform-agnostic code, so it could be modified to work on other vendor's firmware, assuming the same vulnerability that allows for implant is present.
While the modified full firmware images they were able to acquire were for old (2014) devices, the implant is not limited to these, they are just the samples obtained. Check Point has not yet determined how devices are being infected but assume, quite reasonably, that it's through an existing vulnerability:
Check Point said:We are unsure how the attackers managed to infect the router devices with their malicious implant. It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication. The goal of the attackers appears to be the creation of a chain of nodes between main infections and real command and control, and if so, they would likely be installing the implant on arbitrary devices with no particular interest.
It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks. Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.
While this exploit is specific to TP-Link devices, it is important to keep in mind that it could be easily ported to others, provided a similar means of injection exists. This underscores the ongoing challenges with consumer network gear where the placement of a device designed to be manufactured as cheaply as possible on the perimeter, and with few resources allocated to not only software R&D, but in staying on top of the security of that software after the fact, presents what amounts to a considerable attack surface. With "cloud tied" services now also being (poorly) implemented on these products, it is likely that we will see the list of ongoing vulnerabilities and exploits grow, rather than shrink.