Chinese state-sponsored APT group Mustang Panda has been associated with a series of targeted attacks exploiting TP-Link routers. The campaign is active since January and is aimed at European foreign affairs entities.
Key highlights
According to Check Point researchers, attackers are using malicious firmware images that are designed explicitly for TP-Link routers.
The implants contain several malicious components and a custom backdoor dubbed Horse Shell, which enables attackers to maintain persistent access, develop anonymous infrastructure, and lateral movement in compromised networks.
The unique aspect of the backdoor implant is that it can be integrated into various firmware by different vendors, thus, increasing the scope of attacks.
While the deployment of malicious firmware images is still unclear, it is estimated that the attackers gained access to routers by either scanning known vulnerabilities or using default and guessable passwords.
More on Horse Shell
The Horse Shell backdoor is written in C++ and compiled for MIPS32-based operating systems. The system information collected by Horse Shell includes user name, system name, OS version, OS time, CPU architecture, IP address, MAC address, and number of active connections.
It provides the attackers with three functionalities:
Remote shell: Enables the execution of arbitrary commands on the infected router.
File transfer: Enables uploading and downloading files to and from the infected router.
SOCKs tunneling: Relay communications between different clients.
Staying safe
The discovery of Mustang Panda’s malicious implant on TP-Link routers highlights the need for enhanced endpoint security. Additionally, it is always advisable to change the default login credentials of devices connected to the internet to stronger passwords and use multi-factor authentication whenever possible. Make sure to regularly update routers and other device firmware to prevent attackers from exploiting vulnerabilities.