The link goes to the press release. The actual advisory (https://www.cisa.gov/news-events/cybersecurity-advisories/aa...), linked from the press release, contains quite a bit more detail. They detail how they have observed Cisco routers being backdoored but don't limit the issue to that manufacturer.
>BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001].
I wonder how best to handle this kind of downgrade attack. Is reverting to an older firmware version an intended, supported feature? If so, I assume it's present in case the customer has a problem with the latest firmware and they want to revert. Maybe it makes sense to implement some restrictions on reversions -- e.g. they can only be done with physical access to the device, and it becomes impossible after an upgrade has been in place for 1 month say.
The focus on international subsidiaries was very interesting to me. I wonder what, specifically, it is about a subsidiary that makes it a softer target. Perhaps it's easier to gain physical access to a subsidiary office.
Just do what game consoles do: add hardware fuses that are expected to be blown depending on the version, and have the bootloader verify the number of fuses blown on boot. Then the device becomes a brick if it tries to boot an older firmware.
0xDEAFBEAD|2 years ago
I wonder how best to handle this kind of downgrade attack. Is reverting to an older firmware version an intended, supported feature? If so, I assume it's present in case the customer has a problem with the latest firmware and they want to revert. Maybe it makes sense to implement some restrictions on reversions -- e.g. they can only be done with physical access to the device, and it becomes impossible after an upgrade has been in place for 1 month say.
The focus on international subsidiaries was very interesting to me. I wonder what, specifically, it is about a subsidiary that makes it a softer target. Perhaps it's easier to gain physical access to a subsidiary office.
somat|2 years ago
slimsag|2 years ago
Abby0|2 years ago
I think its more common on recent routers as well.
the-dude|2 years ago
instagib|2 years ago
Here’s another one with recent updates from the chief architect of metasploit. https://www.rapid7.com/blog/post/2013/07/02/a-penetration-te...
unknown|2 years ago
[deleted]