Cybersecurity researchers from Check Point Research (CPR) have discovered a new backdoor for home and office routers (Opens in a new tab).
The backdoor, named Horse Shell, allows threat actors to fully control the infected endpoint, the researchers say, as well as allowing them to remain hidden and providing access to a wider network.
According to CPR, the group behind the attack is Camaro Dragon – a Chinese Advanced Persistent Threat (APT) group with direct links to the Chinese government. Its infrastructure also “significantly overlaps” with another Chinese state-sponsored attacker – Mustang Panda.
Target less secure devices
While the researchers found Horse Shell on TP-Link routers, they claim that the malware is firmware-agnostic, and does not target specific brands. Instead, a “wide range of devices and vendors may be at risk”, they said, suggesting that attackers are more likely to go for devices with known vulnerabilities, or with weak and vulnerable guess login credentials.
They also cannot pinpoint who the campaign is really targeting. While Camaro Dragon intends to install Horse Shell on routers belonging to European foreign affairs entities, it is difficult to say who they are targeting.
“Learning from history, router implants are often installed on arbitrary devices of no particular interest, with the aim of creating a chain of nodes between the main infections and true command and control,” CPR explained. “In other words, infecting a home router doesn’t mean the home owner is specifically targeted, but it’s just a means to an end.”
To protect against Camaro Dragon, Mustang Panda, and other malicious actors, businesses should make sure to regularly update the firmware and software of routers and other devices; to regularly update passwords and other login credentials and use multi-factor authentication (MFA) when possible; and to use state-of-the-art endpoint protection solutions, firewalls, and other antivirus programs.
Finally, businesses should educate their employees on the dangers of phishing and social engineering to ensure they do not unknowingly share their login credentials with malicious individuals.