[German]Security researchers from Check Point Research (CRP) have discovered a backdoor called "Horse Shell" while analyzing cyberattacks on European institutions. This was injected as firmware on TP-Link routers by a Chinese state-sponsored APT group called "Camaro Dragon." Check Point Research (CRP) provided me the other day with details, which I'm posting below on the blog.
Advertising
It was a series of targeted cyberattacks on European foreign affairs institutions that put Check Point Research (CPR) security experts on notice. Analyzing the attacks, the security researchers then came across a malicious firmware implant for TP-Link routers that included a customized backdoor called "Horse Shell." The backdoor allowed attackers to take full control of the infected device, remain undetected and access compromised networks.
Check Point Research (CPR) security experts identified the Chinese state-sponsored APT group called "Camaro Dragon" as the originator of the attacks and malicious firmware. These activities have significant infrastructural overlap with activities publicly associated with "Mustang Panda," the security researchers write.
Thorough analysis of the cyberattacks CPR security researchers was able to uncover the malicious tactics, and they have published a detailed analysis. The findings about how the implant works also allow them to compare it to other router implants associated with other Chinese state-sponsored groups. By studying this implant, CPR hopes to shed light on the APT group's techniques and tactics. The goal is to develop a better understanding of how threat actors use malicious firmware implants in network devices for their attacks.
The cyberattack
The investigation into the "Camaro Dragon" activity involved a campaign that primarily targeted European foreign affairs institutions, security researchers wrote in a statement. Although Horse Shell was found on the attacking infrastructure, it is unclear who the victims of the router implant are.
It is known from the past that router implants are often installed on random devices with no particular interest to create a link between the main infections and the actual command and control function. In other words, infecting a home router does not mean that the homeowner has been targeted, but that it is just a means to an end, CPR specialists are sure.
Advertising
Protecting a network
The discovery of the Camaro Dragon malicious implant for TP-Link routers shows the importance of taking protective measures against similar attacks. Here are some recommendations from security researchers for detection and protection that apply to other routers as well:
- Install software updates: Regular updates to firmware and software on routers and other devices are critical to prevent vulnerabilities that attackers could exploit.
- Change default credentials: Change default credentials for all devices connected to the Internet to strong passwords and use multi-step authentication whenever possible. Attackers often scan the Internet for devices that still use default or weak credentials.
The researchers also write, "Manufacturers can better protect their devices from malware and cyberattacks. Regulations such as the EU Machinery Directive require vendors and manufacturers to ensure devices do not pose risks to users and to build security features into devices. This is where I see the sticking point with some manufacturers – TP-Link in particular has some models with known vulnerabilities that have fallen out of support and are no longer getting security updates.
In their document, Check Point researchers suggest to use network security solutions from Check Point – but equivalent products from other vendors may be used also – in my eyes. Such solutions provide advanced threat defense and real-time network protection against sophisticated attacks such as those used by the Camaro Dragon APT group. This includes protection against exploits, malware and other sophisticated threats. The security researchers cite two Check Point products for protection:
- Quantum IoT Protect automatically identifies and maps IoT devices and assesses risk, prevents unauthorized access to and from IoT/OT devices with zero-trust profiling and segmentation, and blocks attacks against IoT devices.
- Check Point IoT Embedded mit Nano Agent® provides runtime protection on the device, enabling networked devices with built-in firmware security. Nano Agent® is a customized package that provides best-in-class security features and prevents malicious activity on routers, network devices, and other IoT devices. Check Point IoT Nano Agent® has advanced features such as memory protection, anomaly detection and control flow integrity.
The security researchers published their findings with more details in the English-language blog post The Dragon who sold his Camaro: Analyzing custom router implant.
