Posted on May 17, 2023 at 6:15 PM

Researchers detect Chinese nation-backed hackers exploiting TP-Link routers

Mustang Panda, a Chinese threat actor group, has been associated with several sophisticated and targeted attacks targeting foreign affairs organizations located in Europe. The attacks appear to have started in January 2023.

Mustang Panda exploits TP-Link routers

The nature of the attacks conducted by the threat actor group by exploiting TP-Link routers was confirmed by cybersecurity researchers at Check Point. The researchers in question, Itay Cohen and Radoslaw Madej, have exposed a custom firmware impact that has been created exclusively for use in TP-Link routers.

A report from the company said that the custom implant contains multiple malicious features. These features allow hackers to launch persistent attacks and gain access to compromised networks, where they can navigate to gather information.

“The implant features several malicious components, including a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the statement released by the company said.

The statement released by the company also said that the implant had a firmware-agnostic design. The features of the implant can be integrated across various firmware used by multiple vendors.

Check Point, which is a cybersecurity company based in Israel, has said that it is tracking this threat actor group using the name of a mythical creature known as Camaro Dragon. It also goes by other names such as Earth Preta, RedDelta, HoneyMyte, Red Lich, RedDelta, Bronze President, and BASIN.

Minimal details about the attack

The researchers are yet to detect the method that was used by the hacker to launch the affected firmware images on the affected routers. The usage of this firmware and its use to conduct actual attacks has also remained unknown.

However, there are suspicions that the initial access might have been obtained when the attacker exploited a known security vulnerability. The threat actors might have also conducted a brute force attack and obtained initial access using default passwords or passwords that are easy to guess.

However, researchers have detected that the C++-based Horse Shell implant allows attackers to execute arbitrary shell commands easily. They can also upload and download files to and from the router. They can also relay communication between two varying clients.

The exploited firmware is also able to trick the users. It hides its activity in a matter that the user cannot detect the ability to flash another image using the router’s web interface. The router backdoor is also believed to have targeted not only organizations but also individuals.

The router backdoor is believed to have targeted arbitrary devices that exist on the residential and home networks. The move suggests that the affected routers might have been co-opted within a mesh network. The objective of this threat actor group is to create a chain of nodes that run from the main infections and the real command-and-control.

The firmware also relays communication between the infected devices using a SOCKS tunnel. The objective behind such malicious activity is to have an extra layer of anonymity while hiding the final server. Every node running on the chain also comes with information about the nodes preceding it. However, it does not contain information on the node succeeding it.

The methods that have been used by the hackers, in this case, hide the origin and the destination of the traffic in a way that will be analogous to TOR. These methods make it challenging to pinpoint the scope of the attack, and it also becomes challenging for any security systems that have been out in place to disrupt it.

The researchers further explained that if a single node on the chain has been infected or taken down by the attacker, the hacker could still sustain communication with the C2 by routing traffic using a different node within the chain.

It is also not the first time that China-based hackers have used a network of infected routers to conduct hacking attacks. In 2021, the National Cybersecurity Agency of France (ANSSI) released a statement detailing an attack that was conducted by the APT31 threat actor group that is also known as Judgement Panda of Violet Typhoon.

At the time, ANSSI said that the threat actor group used malware known as Pakdoor or SoWat to conduct its hacking exploits. The malware enabled the infected routers to communicate with each other, which increased the scope of the attack significantly.

In the recent report, Check Point researchers said that the recent discovery was another example of the trend set by Chinese threat actors. These threat actors conduct hacking exploits to target network devices connected to the internet and alter the underlying software or firmware.