Cybersecurity researchers from Check Point Research (CPR) have discovered a new backdoor for home and office routers (opens in new tab).
The backdoor, named Horse Shell, allows threat actors full control of the infected endpoint, the researchers say, as well as letting them stay hidden and giving access to the wider network.
According to CPR, the group behind the attack is Camaro Dragon – a Chinese Advanced Persistent Threat (APT) group with direct links to the Chinese government. Its infrastructure also “significantly overlaps” with that of another state-sponsored Chinese attacker – Mustang Panda.
Targeting poorly secured devices
While the researchers found Horse Shell on TP-Link routers, they claim the malware is firmware-agnostic, and doesn’t target specific brands. Instead, a “wide range of devices and vendors may be at risk”, they say, suggesting that the attackers are more likely going for gear with known vulnerabilities, or with weak and easily guessable login credentials.
They also couldn’t pinpoint exactly who the target of the campaign is. While Camaro Dragon sought to install Horse Shell on routers belonging to European foreign affairs entities, it’s difficult to say who they were going after.
“Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control,” CPR explains. “In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.”
To protect against Camaro Dragon, Mustang Panda, and other malicious actors, businesses should make sure to regularly update the firmware and software of routers and other devices; to regularly update passwords and other login credentials and use multi-factor authentication (MFA) whenever possible; and to use state-of-the-art endpoint protection solutions, firewalls, and other antivirus programs.
Finally, businesses should educate their employees on the dangers of phishing and social engineering to make sure they don’t unknowingly share their login credentials with malicious individuals.