QUICKLOOK: Are TP-Link Routers Chinese Trojan Horses?

They sell you the attack vector - it’s a win win.

Possible Nation-State Exploitation of TP-Link Routers

Overview

Recent cybersecurity incidents have revealed that TP-Link routers are being exploited by Chinese state-sponsored actors to conduct sophisticated cyber-attacks. These attacks involve the use of custom malicious firmware to compromise the routers, allowing attackers to gain unauthorized access, execute arbitrary commands, and establish persistent command and control (C2) channels.

Key Findings

1. Malicious Firmware Implants:

   • Incident: Chinese APT groups have been implanting malicious firmware into TP-Link routers. This firmware, known as "Horse Shell," provides remote shell access, file transfer capabilities, and SOCKS tunneling to hide the origin and destination of traffic.

   • Targets: The attacks have primarily targeted European foreign affairs entities, with routers used as nodes to establish resilient C2 infrastructures.

   • Details: The firmware modifies the router’s management interface to prevent firmware updates and maintain persistence of the infection (Help Net Security, Bleeping Computer).

2. Compromises Linked to APT31 and Mustang Panda:

   • Incident: The malicious firmware used shows functional similarities to known malware from APT31, also known as "Pakdoor." Indicators such as IP addresses and coding typos suggest Chinese state-sponsored involvement.

   • Infection Methods: The specific methods of infection are not fully determined but likely include exploiting known vulnerabilities and brute-force attacks to gain administrative access (Bleeping Computer).

3. General Exploitation in State-Sponsored Attacks:

   • Incident: Various state-sponsored hacking groups have targeted TP-Link routers to access sensitive networks. The "Camaro Dragon" group used modified firmware to conduct espionage activities against European targets.

   • Impact: Full device compromise, allowing attackers to execute arbitrary commands, transfer files, and establish stealthy communication channels (Help Net Security, SOCRadar).

4. Broader Network Security Implications:

   • Context: These attacks are part of a larger trend where nation-state actors target network devices like routers, which often lack comprehensive security measures.

   • Preventive Measures: Network administrators are urged to update firmware regularly, change default passwords, disable remote access to admin interfaces, and apply security patches promptly (The Register, SOCRadar).

CVEs Related to TP-Link Routers

Several critical CVEs highlight the vulnerabilities in TP-Link routers that have been exploited:

1. CVE-2023-36498: Command injection vulnerability in PPTP client functionality.

2. CVE-2023-42664: Command injection in PPTP global configuration.

3. CVE-2023-43482: Command execution in guest resource functionality.

4. CVE-2023-47167: Command injection in GRE policy functionality.

5. CVE-2023-47209: Command injection in IPsec policy functionality.

6. CVE-2023-47617: Command injection in web group member configuration.

7. CVE-2023-47618: Command execution in web filtering functionality.

These vulnerabilities enable authenticated attackers to gain unauthorized access and execute commands on affected devices.

Proof-of-Concepts (PoCs) on GitHub

Several PoCs have been published on GitHub demonstrating how these vulnerabilities can be exploited:

1. CVE-2022-30075:

   • Description: Authenticated Remote Code Execution (RCE) vulnerability in TP-Link Archer AX50 routers. The exploit involves decrypting and modifying the backup file to execute arbitrary commands.

   • PoC: aaronsvk/CVE-2022-30075

2. CVE-2023-1389:

   • Description: Unauthenticated command injection vulnerability in TP-Link Archer AX21 routers. An attacker can inject arbitrary values through GET or POST requests to the admin interface.

   • PoC: Voyag3r-Security/CVE-2023-1389

3. CVE-2023-43482:

   • Description: Command execution vulnerability in the guest resource functionality of TP-Link ER7206 Omada Gigabit VPN Router. The vulnerability is triggered through specially crafted HTTP requests.

   • PoC: Mr-xn/CVE-2023-43482

4. CVE-2018-11714:

   • Description: Exploit in TP-Link TL-WR840N routers due to broken session handling in the firmware. This allows downloading the configuration file and gaining access to the admin configuration panel.

   • PoC: theace1/tl-wr840PoC

Conclusion

The exploitation of TP-Link routers by state-sponsored hackers underscores the critical need for robust cybersecurity measures. Organizations and individuals using these devices must be vigilant, applying security patches, updating firmware, and following best practices to protect their networks from sophisticated threats.

Sources

1. Help Net Security - TP-Link routers implanted with malicious firmware in state-sponsored attacks

2. Bleeping Computer - Hackers infect TP-Link router firmware to attack EU entities

3. The Register - Routers have been rooted by Chinese spies US and Japan warn

4. SOCRadar - Network Devices Under Threat: Mustang Panda Targets TP-Link Routers