Chinese APT exploits TP-Link router firmware via implant

A Chinese state-sponsored APT tracked as "Camaro Dragon" is conducting targeted attacks with a malware implant tailored for TP-Link routers, according to research published Tuesday by Check Point Software Technologies.

The research, titled "The Dragon Who Sold His Camaro: Analyzing Custom Router Implant," concerns a modified firmware image discovered by Check Point Research containing a malicious implant designed for TP-Link routers as well as a custom backdoor. Named "Horse Shell," the implant "enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks," according to Check Point Research's blog post.

Horse Shell contains three functionalities: remote execution of shell commands on an infected router, file transfer to and from the infected router, and SOCKS proxy tunneling. It is also firmware agnostic, meaning it can be used to exploit other vendors' products.

Check Point said it had no concrete evidence of Horse Shell being used in other attacks beyond the compromised TP-Link firmware, though "previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors."

The compromised TP-Link routers were used in targeted attacks against European foreign affairs officials, according to the blog post. Check Point researchers said this type of firmware attack is typically launched against residential and home office networks, which the apparent of goal of creating a chain of nodes between infected devices and the command and control infrastructure. The initial infection vector, however, remains unknown.

"We are unsure how the attackers managed to infect the router devices with their malicious implant," the blog post said. "It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication

Check Point said it has been tracking threat activity against European officials since January. The activity incorporated a wide range of tools, including firmware implants associated with Chinese nation-state activity. Researchers drew significant connections between Camaro Dragon and "Mustang Panda," another Chinese state-sponsored APT reported late last year by vendors such as Avast.

The post said the implant represents "yet another example of a long-standing trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware."

TP-Link has not responded to TechTarget Editorial's request for comment at press time, though a spokesperson said the manufacturer was looking into the research and would provide a statement when ready.

UPDATE 5/19: A TP-Link spokesperson sent to the following statement to TechTarget Editorial:

"TP-Link is aware of a possible security flaw in the 940N reported by Check Point Research (CPR). Upon receiving feedback on a possible security issue, we immediately began investigations. The vulnerability mentioned in the report describes routers that have upgraded Third-party firmware (Not TP-Link official firmware) infected with malicious customizations and embedded scripts to carry out attacks. Still, the report does not say how the routers were infected. We strongly recommend that our users not use any unofficial third-party firmware.

"TP-Link has consistently released new official firmware to improve device security and fix reported security vulnerabilities. We recommend that users upgrade to our latest official firmware to ensure the security of their devices."

Itay Cohen, research lead at Check Point Research and co-author on the blog post, told TechTarget Editorial in an email that while there are always more protections for a vendor to implement, TP-Link's security is not specifically or particularly poor.

"TP-Link implements several security mechanisms to make it harder for attackers to exploit their devices," he said. "However, attackers still were able to find vulnerabilities and exploit router devices. Indeed, there are more protections that the vendor can implement to make it ever harder. But overall, the security isn't bad."

Firmware-related intrusion remains a serious threat. Earlier this month, it was revealed that a ransomware attack against Taiwanese computer hardware company Micro-Star International resulted in the theft and leak of an OEM private key related to Intel security feature Boot Guard. Boot Guard is an Intel hardware security feature used to prevent malicious firmware from loading in the Unified Extensible Firmware Interface.

Alexander Culafi is a writer, journalist and podcaster based in Boston.