Cybersecurity researchers at Check Point Research (CPR) discover a new home and office backdoor router (opens in a new tab).
The backdoor, dubbed Horse Shell, allows threat actors to take full control of infected endpoints, keeping them hidden and allowing access to the wider network, the researchers said.
According to CPR, the group behind the attack is Camaro Dragon — a Chinese advanced persistent threat (APT) group with direct ties to the Chinese government. Its infrastructure also “significantly overlaps” with that of another state-sponsored Chinese attacker, Mustang Panda.
For devices with poor security
While the researchers discovered Horse Shell on TP-Link routers, they claim the malware is not firmware-related and does not target a specific brand. Instead, they said, “a broad range of devices and vendors may be at risk,” suggesting attackers are more likely to use devices with known vulnerabilities, or with weak and easily guessed login credentials.
They also couldn’t pinpoint who the campaign was targeting. While Camaro Dragon attempted to install Horse Shell on routers belonging to European foreign affairs entities, it’s hard to say who they were targeting.
“Learning from history, router implants are often installed on arbitrary devices of no particular interest, with the goal of creating a chain of nodes between the main infection and the real command and control,” CPR explained. “In other words, infecting home routers doesn’t mean homeowners are a specific target, rather they’re just a means to an end.”
To protect against Camaro Dragon, Mustang Panda, and other malicious actors, businesses should ensure that firmware and software for routers and other devices are regularly updated; passwords and other login credentials are regularly updated, and use multi-factor authentication (MFA) whenever possible; and use the most Advanced endpoint protection solutions, firewalls and other antivirus programs.
Finally, businesses should educate employees about the dangers of phishing and social engineering to ensure they don’t unknowingly share login credentials with malicious individuals.