As a result of a string of targeted attacks that have occurred since the start of 2023, a Chinese cyber espionage group known as Mustang Panda has come to the attention of European foreign affairs organizations. These attackers have implanted a TP-Link firmware update called 'Horse Shell’, which contains covert backdoor software, using a cunning strategy. This incursion is especially concerning because the attackers can start their attacks from vulnerable household networks and sensitive networks thanks to the attackers' customized firmware.
To shed light on these illicit actions, CheckPoint researchers made a ground-breaking discovery in January 2023. They discovered the Horse Shell TP-Link firmware implant. This incident is a reminder that businesses need to employ robust data security software to avoid cyberattacks.
Unveiling Mustang Panda: An Ongoing Menace Targeting American and European Entities
Mustang Panda, sometimes known as Camaro Dragon, RedDelta, or Bronze President, has been relentlessly attacking businesses in the US and Europe for almost ten years. Their distinct emphasis on Asian countries including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar sets them apart. In 2022, they persisted in their unrelenting pursuit and craftily used reports from the Ukrainian and European Union governments as bait to trick individuals into downloading malicious software.
It wasn't by chance that the Mustang Panda was identified; rather, it was the result of a complex puzzle that was solved using many pieces of evidence. The analysis of server IP addresses, the discovery of hardcoded HTTP headers on Chinese websites, telltale typographical errors indicating non-native English speakers, and uncanny similarities to the notorious APT31 "Pakdoor" router implant, which confirmed a connection to Mustang Panda, were among these crucial indicators.
TP-Link Routers Vulnerable to Horse Shell Backdoor Attack
Unknown attack techniques were employed to install malicious firmware on TP-Link routers. Researchers hypothesize that threat actors use brute-force methods or exploit vulnerabilities to get administrative access. They remotely update the device with a customized firmware image once they have control of the management interface.
Recent cases involved the use of a specialized firmware implant designed especially for TP-Link routers by attackers. This implant has a backdoor - Horse Shell, which gives the attackers the ability to establish persistence, build an anonymous infrastructure, and move laterally within infected networks. Surprisingly, the Horse Shell backdoor can target the firmware of many suppliers because of its firmware-neutral design.
Once enabled, the Horse Shell backdoor impacts the operating system's behavior to make sure that its process continues to run even when SIGPIPE, SIGINT, or SIGABRT commands are issued. It establishes a link with a command and control (C2) server while running invisibly in the background, transmitting a variety of data like the username, OS version, time, device information, IP address, MAC address, and support functions of the implant.
The backdoor allows the attacker to perform the following actions while it waits for instructions from the attacker:
- Perform arbitrary shell commands on the hacked router from a distance
- File transfer between the infected device and other computers
- Use SOCKS tunnelling to disguise network traffic's origin and destination, hiding the C2 address in the process.
Critical Vulnerabilities in Teltonika Networks
Security issues found in two versions of its product – RMS and RUT
According to research, security vulnerabilities were found in two of its product versions, namely, Remote Management System (RMS) versions before 4.14.0 and RUT routers version 00.07.00-00.07.03.4. Let’s understand the vulnerabilities in detail.
- CVE-2023-32347 (CVSS score: 10.0):Teltonika's RMS versions before 4.10.0 employ device serial numbers and MAC addresses as the foundation for device claiming and authentication, from both the user's and the device's perspectives. However, if an unauthorized person is successful in obtaining this information, they can use it to their advantage to establish their identity as the intended target device. With this unauthorized access, they can compromise the security of the device by stealing its communication credentials and running arbitrary instructions as root.
- CVE-2023-32348 (CVSS score: 9.3):Before Teltonika's RMS 4.10.0, a function named OpenVPN-based VPN hub was present to promote the connection between many devices. New devices might now connect to Teltonika devices connected to the VPN thanks to this functionality. Sadly, a flaw was found that allowed an attacker to trick the OpenVPN server into changing the way traffic is routed. The attacker could compromise the confidentiality and integrity of other Teltonika devices' data by rerouting the connection to a remote server and gaining unauthorized access to it.
- CVE-2023-2586 (CVSS score: 9.0): It is a critical vulnerability found in Teltonika's RMS version 4.14.0. Due to this capacity, unauthorized attackers can register devices that have never been registered using the RMS platform, raising possible security concerns. The default activated RMS management feature can be used by an attacker to register the device under their control if the user hasn't disabled it. The Task Manager function of the RMS could be used by the attacker to remotely execute code with root privileges if this vulnerability is exploited. It is essential to address this vulnerability right away to thwart potential unauthorized access and lessen the hazards that come with it.
Conclusion
The relentless and constantly changing actions of this Mustang Panda represent a serious threat to the targets. To protect against the Mustang Panda's continued threat, there must be increased awareness, strong security measures, and ongoing collaboration between cybersecurity researchers, cybersecurity service providers, and organizations.
Get in touch with Cybalt – a leading cyber security consultant to ensure your business’s overall security and provide comprehensive cybersecurity solutions.