Earlier this week was the first time cyber security agencies from the US and UK have issued a joint warning about potential exploits from Russian state-sponsored hackers. The warnings concern a series of observed exploits dealing with compromised network routers and other infrastructure equipment. The warnings come from the US CERT and the UK National Cyber Security Center.
The exploit uses devices with outdated, unencrypted protocols, unauthenticated services, misconfigured devices, and devices no longer receiving security patches from their manufacturers. The agencies have been tracking attacks for several years on both sides of the Atlantic and have been coordinating their responses. This week’s warning contains a lot of specific information about how the attacks have happened, what types of devices are vulnerable (including SOHO routers as well as more commercial ones), and how businesses can better protect themselves against future attacks.
The purpose behind the attacks is to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations, according to the documents released by both governments.
Aside from typical infection vectors such as FTP and Telnet, they also include an exploitation tool called SIET (Smart Install Exploitation Tool) that was posted online in November 2016. This tool allows for easy exploitation of Cisco routers with misconfigured Smart Install clients. Cisco Talos recently warned that threat actors have started abusing this protocol and has issued warnings about its use and prevention.
The CERT has posted a series of mitigations and recommendations for business owners, including the following:
First, ensure that all firmware updates have been applied successfully
to routers and switches. Pay particular attention to the sources of these updates and verify that they are coming from trusted sites.
Disable the Cisco Smart Install interface with the “no vstack” command
before placing the device into operation.
from leaving the organization destined for Internet-based hosts.
Prohibit remote devices attempting to cross a network boundary over TCP port 4786
via the Smart Interface.
Prohibit outbound network traffic to external devices over UDP port 69 via TFTP
Inspect the presence of port 47 traffic
flowing to or from unexpected addresses, or unexplained presence of Generic Routing Encapsulation (GRE) tunnel creation, modification, or destruction in log files.
Check with your ISP to see if they are using Cisco equipment to connect to your network and ensure that they have put these practices into effect.
The US agencies involved in tracking this exploit encourage recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately.