The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Malicious firmware is vendor-agnostic, so other routers, not just TP-Link, are at risk of being co-opted into a ‘sophisticated’ attack

A malicious firmware implant designed to infect TP-Link routers has been discovered by researchers at security vendor Check Point.

The malicious code contains a custom implant which the researchers called “Horse Shell”, as well as a passive back door. It has been used by attackers to gain control over compromised devices and access to networks without being detected. The ultimate targets are mostly European political entities, according to Check Point, although their exact identities have not been made public.

Check Point Research attributes the attacks to a Chinese state-sponsored Advanced Persistent Threat (APT) group, which it calls “Camaro Dragon.” The group seems to be closely related to another APT known as Mustang Panda.

Activities of Mustang Panda and related groups against NGOs and government entities have been reported since 2017, and Check Point Research says it has observed it carrying out “sophisticated attacks targeting officials in multiple European countries”, since the start of this year.

The mode of infection in this case is not clear, but Check Point researchers say in a blog post that “router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control.”

This particular attack seems to be aimed at home routers rather than the ultimate goal, suggesting the attackers are building up a chain of devices to aid their mission.

Whatever your business, however big or small it is, you will receive phishing attacks at some point. Think about how you will help your staff understand the threat and how to spot phishing. As with other advice, give them the tools to defend against it in their personal lives and they will bring that behaviour back to work. Let The Cloud Consultancy secure your business.

It is likely that the attackers gain control over infected routers through a combination of known vulnerabilities and weak authentication.

The malware is designed to be vendor-agnostic, according to the researchers, meaning it could be used to infect routers made by other manufacturers, not just TP-Link devices.

This finding emphasises the need for organisations and domestic users to strengthen the security of their network devices, updating firmware, changing default credentials to strong passwords and using multi-factor authentication (MFA).

New regulations in the US and in Europe require vendors to bolster their products to protect against supply chain attacks.

“Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack,” commented Thierry Breton, EU commissioner for the internal market, last year.

Source: Computing.   By: John Leonard