Security News > 2023 > May > Chinese state-sponsored attack uses custom router implant to target European governments
The threat actor uses a custom implant to compromise a specific TP-Link router model and steal information from it, as well as provide backdoor access to the attackers.
"Horse Shell" implant found in TP-Link router firmware.
During their analysis of Camaro Dragon, the researchers discovered a large number of files used in their attacks, with two of them being TP-Link firmware images for the WR940 router model released around 2014.
The attackers added the execution of three of the files they added on the firmware's file system so it would be executed each time the operating system restarts, ensuring the persistence of the implant on the compromised router.
In 2018, with the Slingshot APT, attackers exploited a vulnerability in Mikrotik routers to plant malware on it with the goal of infecting the router administrator and moving forward with their attack.
Last month, Russian threat actor APT28 exploited a Cisco router vulnerability to target U.S. government institutions and other organizations in Europe and Ukraine.
News URL
https://www.techrepublic.com/article/attack-custom-router-impant-target-european-governments/
Related news
- Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft (source)
- Chinese hackers breached T-Mobile's routers to scope out network (source)
- Japan warns of IO-Data zero-day router flaws exploited in attacks (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- Update your OpenWrt router! Security issue made supply chain attack possible (source)
- US sanctions Chinese firm for hacking firewalls in ransomware attacks (source)
- US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks (source)
- US names Chinese national it alleges was behind 2020 attack on Sophos firewalls (source)
- US Sanctions Chinese Cybersecurity Firm for 2020 Ransomware Attack (source)