An urgent cyber security threat
On April 16 2018, the Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) issued a joint Technical Alert. Collating information on the global cyber-exploitation of network infrastructure devices, it outlines new methods Russian state-sponsored cyber actors are using to exploit victim networks.
According to the report, the targets of this activity are primarily government and private sector organisations, critical infrastructure providers, and the Internet Service Providers (ISPs) that support these sectors. It also outlines that the FBI and NCSC have high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct so-called ‘man in the middle’ attacks.
These attacks are a serious concern and are designed to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
As part of these attacks, Russian cyber actors are leveraging legacy or weak protocols/service ports associated with network administration activities to:
- identify vulnerable devices
- extract device configurations
- map internal network architectures
- harvest login credentials
- masquerade as privileged users
- modify device firmware, operating systems and configurations
- copy or redirect victim traffic through Russian cyber-actor controlled infrastructure.
They’re achieving this by taking advantage of devices with legacy unencrypted protocols or unauthenticated services, along with devices that haven’t been sufficiently hardened before installation and those which are no longer supported with security patches by manufacturers or vendors.
In a critical infrastructure setting, it’s clear how dangerous this could be. For example, an actor controlling a router between Industrial Control Systems can manipulate the messages, creating dangerous configuration that could lead to loss of service or even physical destruction.
Networking devices, primarily Cisco, Juniper and MikroTik switches and routers are the current target. The exposed protocols being targeted include:
- Cisco Smart Install (SMI) enabled devices
- Simple Network Management Protocol (SNMP) enabled network devices
- Telnet and SSH management and interfaces
- HTTP/HTTPS management interfaces
- GRE enabled devices.
What you need to do, now.
It’s vital to immediately examine your estate for vulnerable, exposed services. Action should also be taken to ensure the integrity of both the device and your network in the event of any of the following:
- Smart Install exposed to the internet and, as a secondary consideration, any internally exposed devices.
- SSH/Telnet/HTTP(S) management interfaces exposed with weak/default credentials.
- Insecure SNMP implementations such as default/weak community strings.
Similarly, it’s also important to:
- Check authentication logs for any unusual authentication attempts or successful logins.
- Check device logs for out-of-the ordinary commands or events.
- Examine logs of network traffic for signs of reconnaissance or successful exploitation such as port scanning, SNMP requests, unexpected file transfers, GRE tunnels to unknown destinations or established SMI connections on port TCP/4786.
From here, follow your Incident Response process, making sure to take into account all the advice you’ve received from vendors and suppliers. It’s also important to assess what credentials and other sensitive information or data may have been exposed, and to review your entire estate for problems on other devices. It’s then, of course, vital that you respond accordingly, based on what your investigations uncover.
To receive information about the latest developments on this threat and other key security stories evaluated by our security analysts around the clock, sign up to our daily threat intelligence alert service.