Chinese state-sponsored hackers have reportedly been engaged to target TP-Link routers. The threat actors have reportedly been targetting brand-specific routers within Europe and infecting them with malicious firmware.
The discovery was made by the cybersecurity researcher, Check Point, who uncovered what it describes as another advanced persistent threat (APT), operated by a Chinese-sponsored group known as “Camaro Dragon”. The group’s attack reportedly overlaps with nefarious activities previously attributed to another group called “Mustang Panda”, and the malicious firmware it is currently using is designed to hide its tracks while infecting the related TP-Link router.
The targets of the Camaro Dragon group are, specifically, individuals related to European foreign affairs. In its investigation, Check Point found that the group infected TP-Link routers with a custom backdoor, otherwise known as “Horse Shell”. The backdoor basically allowed the hacker group to execute commands on the infected device, the ability to download and upload any other files of its choosing, and data exchange between two infected devices via SOCKS5 protocol.
As a quick primer, SOCKS5 protocol could be used as a proxy TCP connection, basically allowing Camaro Dragon to infect other devices while masking their location and identity and continuing its actions. At current, Check Point says that it is unsure as to how the Chinese-sponsored threat actors even managed to infect the TP-Link routers. Speculation on its part suggests that the group got in by either scanning said routers for known vulnerabilities or by targetting devices that was “protected” by default or weak and easily guessable passwords for authentication.
It’s not just TP-Link routers that are vulnerable to attacks either, Check Point says. The malicious coding used by Camaro Dragon was found to be firmware-agnostic, meaning that other brands of routers are likely to become potential targets in the future. Also, as always it is good practice to always user strong passwords and multi-layer authentication, wherever and whenever possible.
(Source: Check Point, Techspot)
Follow us on Instagram, Facebook, Twitter or Telegram for more updates and breaking news.