Russian state-sponsored hackers are targeting network infrastructure devices, according to a joint report between the United States Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the National Cyber Security Centre (NCSC) in the United Kingdom.
Russian state-sponsored hackers are at it again…
In a joined Technical Alert (TA) released on April 16th, the United States Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the National Cyber Security Centre (NCSC) in the United Kingdom warn that Generic Routing Encapsulation (GRE) Enabled Devices, Cisco Smart Install (SMI) Enabled Devices, and Simple Network Management Protocol (SNMP) Enabled Network Devices are being targeted by Russian State-sponsored hackers.
The joint report, posted by the United States Computer Emergency Readiness Team says that the hackers are using a group of vulnerabilities and exploits in “a number of legacy or weak protocols and service ports associated with network administration activities.”
This is not the first nor is it the last string of Russian state-sponsored hacking targeting critical U.S. infrastructure.
This time, it seems that the hackers are mainly attempting the relay of malicious SMI and SNMP commands which can result in the hackers gaining access to configuration files. These vulnerabilities, design flaws in Cisco Smart Install, were the subject of an alert from Talos Intelligence Team earlier this month which mentioned that state-sponsored hackers were leveraging this protocol even though the report did not specifically mention Russia.
The report says that once hackers have exploited the SMI commands, they can essentially gain access to legitimate credentials which can then be used to run man-in-the-middle attacks which would allow them to gain deeper access to network. From there, once the router is owned, the hackers can then then do what they want with network traffic including monitor, mirror, deny, or redirect network packets.
Good old routers, literally.
Though there are many, one big problem with network infrastructure particularly devices closest to the consumer, such as routers, is that they are often on and seldom updated. This poses a big problem to the general public, companies of all sizes, and Internet Service Providers (ISPs).
This Technical Alert advises standard precautions like not using duplicate passwords between devices, not allowing internet access to the management interface of devices, not using default passwords, blocking Telnet use entirely, blocking SNMPv1 and v2c. Instead, it is recommended to use modern encrypted protocols such as SSH and SNMPv3.
The issue suggests monitoring and analyzing logs for any Simple Network Management Protocol (SNMP) traffic. The note says that “any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection.”
Aging Network Infrastructure
To be clear, common sense and discretion would solve many of the issues that are mentioned in the report, which is, in many ways, not a surprise to those who have belly ached about the aging network infrastructure in the U.S.
These days, many device manufacturers have begun making many of the changes that the report suggests. For example, new routers don’t come with default passwords like they use to. Here is a list of default router passwords. Never late than never I guess…
This is not the first time we have heard about Russian state-sponsored hackers targeting U.S. companies, consumers, and infrastructure and it will not be the last.