Russian spies hunt for routers running legacy protocols with default credentials

By
Follow google news

FSB hackers quietly harvest router configurations.

A coalition of 19 national cyber security agencies has issued a joint warning that Russian state-sponsored threat actors are systematically scanning the Internet for exposed routers with default or weak credentials.

Russian spies hunt for routers running legacy protocols with default credentials

The agencies attribute the campaign to a unit in Russia's Federal Security Service, FSB Centre 16.

FSB Centre 16 looks for routers running versions 1 and 2 of the commonly used Simple Network Management Protocol (SNMP), with default or commonly used community strings

This is essentially a shared password for SNMP, a single shared secret which any device that knows it can use to query the router, and depending on permissions, change settings.

With SNMP v1 and v2, community strings are sent unencrypted across networks.

Once an attacker finds a device that accepts a guessable community string, they can instruct it to copy its own configuration file and transfer it out using TFTP, an old, unauthenticated file transfer protocol.

Exfiltrated configuration files often contain further credentials, handing the actor a foothold that requires no exploit at all.

Only occasionally does FSB Centre 16 resort exploiting previously disclosed vulnerabilities, the advisory said.

The vulnerabilities named in the advisory are truly old: CVE-2008-4128 is, as the common vulnerabilities and exposures identifier suggests, from 18 years ago, and refers to multiple cross-site request forgery flaws in end-of-life devices.

Despite its considerable age, CVE-2008-4128 was only added to the United States Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalogue two days ago.

Meanwhile, CVE-2018-0171 in Cisco's Smart Install feature for its IOS router operating system is a bug that could allow unauthenticated remote attackers to trigger a reload on unpatched devices.

This could be abused to trigger denial of service (DoS) conditions, or to run arbitrary code on vulnerable devices.

Upgrade and apply configuration hygiene

The cyber security agencies recommend organisations move to SNMP v3, which adds authentication and encryption, and disable SNMP v1 and SNMP v2 wherever legacy equipment allows.

Factory default community strings also need to be changed.

Even SNMP v3 should not be exposed on an internet-facing interface, according to the advisory, with management access instead restricted to an out-of-band network protected by access control lists.

Other recommended steps include disabling Cisco's Smart Install feature once initial configuration is complete, securely storing credentials using Cisco's recommended Type 8 password hashing where supported, and blocking TFTP, SNMP and Smart Install traffic at the network edge.

FSB Centre 16 has been actively scanning for vulnerable routers for over a decade now.

Security vendors track the same actor under several other names, including Berserk Bear, Energetic Bear, Dragonfly and Static Tundra, among others.

Communications, energy, financial services, healthcare and government services are identified as the sectors most at risk, with state and local government singled out within that last category.

Add iTnews as your trusted source

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Telstra says timekeeping issue behind mobile network outage

Telstra says timekeeping issue behind mobile network outage

WA man jailed for at least five years for evil twin attack

WA man jailed for at least five years for evil twin attack

Optus fast-tracks network operations insourcing from Nokia

Optus fast-tracks network operations insourcing from Nokia

Data theft prompts PlayStation Network outage

Data theft prompts PlayStation Network outage

Log In

  |  Forgot your password?