The warning was issued by Japanese and American law enforcement and cybersecurity agencies: the FBI, NSA, CISA, NISC (Japanese cybersecurity agency), and NPA (Japanese police), with organizations using Cisco tech advised to use the newest router models, apply the latest patches immediately, and keep a close eye on incoming and outgoing network traffic.
In the alert, the organizations said that a group known as BlackTech (also known elsewhere as Palmerworm, Circuit Panda, and Radio Panda) was targeting organizations in government, industrial, technology, media, electronics, telecommunication, and defense industries.
Flaws, or no flaws?
The attackers are reportedly using a backdoor in Cisco routers used by international subsidiaries to gain an initial foothold on the corporate network, and then work their way towards endpoints located in the headquarters. All of this is made possible by custom-built malware, with the apparent end goal of stealing sensitive data from these firms.
On the other hand, Cisco argues that the threat actor isn’t using any flaws in its products. In a recently published advisory, it said that there was no indication of BlackTech abusing a flaw, or stolen certificates, to sign the malware. The company also stressed that for the attack to work, the firmware on the devices needs to be downgraded, which is only something that works on legacy products, and not newer endpoint devices.
Cisco routers are a popular solution among organizations, which makes them a major target, as well.
Earlier this year, it was reported that Russian state-sponsored threat actors were using custom malware against old, unpatched Cisco IOS routers. APT28 (also known as Fancy Bear) was observed deploying custom-built malware known as Jaguar Tooth against organizations in the West. The malware is capable of stealing sensitive data passing through the router and allows threat actors unauthenticated backdoor access to the device.