Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers

  • Please log in to reply
3 replies to this topic

#1 NickAu


    Bleepin' Fish Doctor

  • Moderator
  • 13,580 posts
  • Gender:Male
  • Location: Australia
  • Local time:10:39 AM

Posted 09 November 2014 - 04:16 PM


Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices.
The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.
The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg's kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and "a punchy message for Kaspersky," which reads, "F*uck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days."
New BlackEnergy Crimeware Enhanced to Target Linux Systems and Cisco Routers 

BC AdBot (Login to Remove)


#2 bmike1


  • Members
  • 596 posts
  • Gender:Male
  • Location:Gainesville, Florida, USA
  • Local time:07:39 PM

Posted 11 November 2014 - 08:48 PM

not worried. no cisco routers on my network.

A/V Software? I don't need A/V software. I've run Linux since '98 w/o A/V software and have never had a virus. I never even had a firewall until '01 when I began to get routers with firewalls pre installed. With Linux if a vulnerability is detected a fix is quickly found and then upon your next update the vulnerability is patched.  If you must worry about viruses  on a Linux system only worry about them in the sense that you can infect a windows user. I recommend Linux Mint or, if you need a lighter weight operating system that fits on a cd, MX14 or AntiX.

#3 pcpunk


  • Members
  • 6,121 posts
  • Gender:Male
  • Location:Florida
  • Local time:07:39 PM

Posted 16 November 2014 - 04:51 PM

Dam hackers! they should try getting real jobs.


Created by Mike_Walsh


KDE, Ruler of all Distro's



#4 cat1092


    Bleeping Cat

  • BC Advisor
  • 7,018 posts
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:39 PM

Posted 17 November 2014 - 12:15 AM

Looks like it's time to break out that new TrendNet router (TEW-652BRP) I purchased three years ago via a Newegg promo & still factory wrapped. The original one of the same model that I was using was running so good, I decided to get another. It'll hold me over until I can get a good non-Linksys brand (they did manufacture Cisco routers, so keep that in mind). I swapped because a Linksys WRT-160N was given to me for installing their new, and it had better range, but no faster speeds, than the TEW-652-BRP. 


Used that TEW-652-BRP for over three years with no troubles. other than range in the corner of the yard where the picnic table is. 


Note that while Linksys is now owned by Belkin, Cisco owned it between March 2003-March 2013, marketing under the name Linksys by Cisco, and many of these routers are still in the distribution chain, so we're speaking of tens, if not hundreds of millions of routers, still on the shelves. This includes their most popular ever WRT54G, still distributed as new on the Newegg site, though there were a few revisions of the model (one was buggy), that model alone has received many awards for being a top router, and many are still in use today. Though some were flashed to DD-WRT, Tomato, or another Linux firmware, which was out of the box configuration. These units rarely required a reboot & could be placed most anywhere & forget about it & chances are, no other single model of any brand will top the WRT54G in sales. 


The first version of the WRT54G was prior to the Cisco buyout & unless the firmware was upgraded with theirs, the users of those are in the clear. I mention this because these routers were built for the long run, it wouldn't be surprising to discover some are still in use. 


And chances are, though owned by Belkin, it'll take some time to move all of the units manufactured under Cisco's ownership. I was really surprised to go onto their site & see some of these units on promo for $299.99. If this threat becomes widespread, all of these unsold routers will have to be unboxed, re-flashed with a custom firmware, repackaged, and sold at deep discounts on sites such as Newegg & Amazon. Many may have to be crushed/recycled, because this news cannot & will not be kept a secret under the rug, it will be covered in the national & local news. 


It also could be that many of the units in use can be flashed with DD-WRT firmware to avoid the BlackEnergy Crimeware threat, though it's best to check for one's specific model. Flashing a router, just as a computer's BIOS, isn't a risk-free deal, meaning it can lead to "bricking" of the router. That's why it's not recommended to flash the BIOS (or UEFI) of a computer, unless the documentation applies to that user. Meaning if there are no problems, don't flash anything. I skipped two UEFI flashes on my XPS 8700, though performed the 3rd because it had to do with SATA performance with unspecified brands of SSD's. 


I've never flashed a router in my life, as low cost as they are, just didn't see the need to, or they were too old to benefit. 


Being this is a huge security issue that can affect hundreds of millions (if not more) Linksys by Cisco routers, it's time to begin discussing the alternatives, rather than waiting for the BlackEnergy threat to strike. It would be a massive undertaking for all tech forums combined to deal with decryption or infection on a user by user basis, if this becomes the next "Crypto" type of attack wave. 


Reflash or buy another brand? For many, that may boil down to economics, many very high speed (& costly) dual band "N" & "AC" routers are in wide use, as well as older ones, regardless, this cannot be ignored. 




Dam hackers! they should try getting real jobs.


Why should they? On a moral level, that's correct, but thieves sets their own rules, and lives by those. There's big bucks in data theft, and the icing on the cake is that no weapons has to be pulled, as in risky bank robberies that are on the decline. While at the same time, cyber crime is booming. This includes Point of Sale (POS) attacks. 


As far as running a Linux OS goes, the OS itself is very secure. However, just as any OS, the router is the medium for the transfer of data, and if that becomes infected or hacked, all incoming/outgoing of data from any OS is in danger. 


Discussion of alternatives or solutions cannot wait until "tomorrow" or "next week". The time for preventative action is now. 


EDIT: All information provided on the history of Linksys & Cisco above came from the below source. 





Edited by cat1092, 17 November 2014 - 12:21 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users