AdvisoriesCISAAA23-270ASeptember 27, 2023
September 27, 2023
The U.S. NSA, FBI, CISA, Japan's NPA, and NISC have issued a joint cybersecurity advisory warning about the activities of China-linked cyber group, BlackTech. This group has been altering router firmware covertly and exploiting these routers to shift between international subsidiaries and their main offices, mainly in the U.S. and Japan. BlackTech, which has multiple aliases, targets various sectors, including those supporting the U.S. and Japan's militaries. Using custom malware and other discrete methods, they hide their activities. Companies are advised to inspect subsidiary connections, ensure secure access, and consider adopting Zero Trust models to mitigate risks.
Routers are ripe targets for adversaries in any organization. They are often plagued by vulnerabilities and misconfigurations. Most organizations are slow to update and maintain such critical devices on the network. This advisory urges organizations to monitor and block unauthorized outbound connections from routers to their connected networks. In general, network devices should only connect to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, etc. Since these types of connections have known patterns and occur within specific time periods on the network, anything outside of the norm - such as a TCP connection on a web port to a random IP address in the routing table - should be detected and subsequently blocked.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
