Header bannerHeader banner
September 27, 2023

A Silent Threat in Our Devices: The BlackTech Firmware Attacks

Alex Matrosov

The newest advisory from the NSA, FBI, CISA, and Japan’s NISC, paints a vivid picture of a silent but deadly threat lurking in our devices. The BlackTech APT has been observed modifying router firmware on Cisco routers to maintain stealthy persistence and pivot from international subsidiaries to headquarters of companies in Japan and the United States.

Unfortunately, this is not a surprise, we have observed an increase in firmware attacks with BlackLotus, CosmicStrand, and MoonBounce as recent examples, but the impact of this BlackTech campaign is a clear progression of the documented attacks related to compromised firmware.

Figure 1

The tactics used by the threat actor aren’t new; for example in the Jaguar Tooth disclosure earlier this year, a similar firmware persistence technique was used successfully.

The Mechanics of the Attack

Downgrade attacks that exploit previously known vulnerabilities in firmware are commonplace. As an example, Cisco allows anyone with administrative privileges on the device to downgrade the OS image and firmware to a vulnerable version. To gain persistence in this case, an attacker needs an authentication bypass vulnerability to modify the firmware image to deliver malicious code on the device.

A prime example is CVE-2023-20082, which takes a slightly different approach and targets Cisco Catalyst devices. This vulnerability can bypass image verification, granting the attacker the ability to run arbitrary code in a persistent fashion on the device's operating system.

Underlying Issues

Device vendors, like Cisco, often minimize vulnerability severity, suggesting high attack barriers like needing RCE (Remote Code Execution) or stolen credentials. This leads to lower CVSS (Common Vulnerability Scoring System) scores, diverting patching urgency and attention. Consequently, many systems remain at risk due to this downplaying.

Another major issue is that many vendors fail to ensure their customer devices are regularly updated. A few months ago, the UK’s National Cyber Security Centre (NCSC) and its American counterpart highlighted a campaign exploiting CVE-2017-6742, urging enterprises to update and protect themselves from a six-year-old vulnerability. For context, within just 9 months, 81% of Apple devices were updated to the latest software version. Apple's rapid update adoption is a deliberate part of its product strategy. We must demand more from our device manufacturers, especially when so many of our core infrastructure devices operate on outdated firmware that rarely gets updated.

The presence of state-sponsored actors like BlackTech in router firmware signals a deeper shift in the cybersecurity battleground. The sophistication of this attack underscores the need for companies to rethink how they invest in security below the operating system.

It's not just about detecting a threat; it's about understanding the 'why' behind it. Why are these cyber actors targeting firmware? Because it's the foundation on which all of our other security investments rest.

The Bigger Picture

The fact that BlackTech can modify router firmware without detection is a stark reminder that blind faith in devices that serve as the foundation of our computing environment is misplaced. In a world where firmware can be silently compromised, trust is a luxury we can no longer afford. Every device, every piece of firmware, and every line of code in them can be a potential entry point for cyber actors.

One of the first steps a threat actor takes is understanding how to hide their presence so it is not surprising to see firmware backdoors that can be toggled on and off with specifically-crafted packets. This is one of the reasons why it is difficult for customers to detect and mitigate these threats.

The Way Forward

Agencies like the NSA, FBI, and CISA deserve commendation for their joint advisories and efforts against these threats. While these agencies are doing their part, the onus is also on device manufacturers to step up and prioritize firmware security and the entire industry needs to improve post-sale security support. It's not enough to rely on external agencies to flag vulnerabilities; manufacturers must be proactive in ensuring their products are secure from the ground up. Long-term security support doesn't happen by accident; it's integrated into how a product is designed.

Another significant challenge in this section of cybersecurity is that many device manufacturers mandate their customers to sign non-disclosure agreements, silencing them from discussing these issues. Coupled with the hurdles security researchers encounter when trying to acquire these devices for assessment, and vendors' tendencies to minimize the severity of issues, customers are left blindly vulnerable. The general neglect in ensuring devices are regularly updated exacerbates the problem.

These are exactly why we created Binarly. If we are going to make a difference as an industry, it's important that we accelerate the detect-analyze-fix for vendors and enterprises. By helping our customers pinpoint vulnerabilities and offering actionable guidance, we can reclaim the invaluable hours spent on incident response and redirect them toward proactive security measures. Let's work together to fortify firmware security.

Contact us to learn more about how we can help your organization build a robust plan for addressing these risks.

What's lurking in your firmware?