In the first joint statement of its kind, U.S. and UK cyber-security authorities have issued a Technical Alert to warn users of an ongoing campaign by Russian state-sponsored hackers to target network infrastructure.
The U.S. Computer Emergency Readiness Team (US-CERT) is an agency within the Department of Homeland Security, and National Cyber Security Centre (NCSC) is part of the UK’s General Communications Headquarters. The targets of the alleged Russian attacks are infrastructure devices at all levels, including routers, switches, firewalls, network intrusion detection systems and other devices supporting network operations.
Also unusual is that the devices and networks being attacked range from devices in large enterprises used by government and private industry, critical infrastructure networks and even networks and devices used by small- and medium-sized businesses and on home networks. According to the Alert, the Russian attackers are depending on weak security, legacy protocols and service ports intended for administration purposes.
When these devices are attacked, the hackers have several goals in mind. They include identifying vulnerable devices and then extracting device configurations, network architectures and harvesting login credentials.
With the access they’ve gained, the hackers are able to masquerade as privileged users, which then allows them to modify the operations of the devices so they can copy or redirect traffic to Russian infrastructure. This access could also allow the hackers to hijack the devices for other purposes or to shut down network communications entirely.
A primary target of the attacks are Cisco devices that use Smart Install. However, other devices that allow access using Telnet, HTTP and SNMP (simple network management protocol) without proper authentication and strong encryption, including GRE (generic routing encapsulation) devices are also vulnerable.
An exploit for Cisco’s Smart Install first appeared on the internet as the Smart Install Exploitation Tool (SIET). The Alert explains how to tell if the SIET is being used, and how to prevent its use. In some cases, the only real mitigation is to disable Smart Install on a Cisco device that is running it.
Cisco has released a critical security advisory regarding the Smart Install vulnerability with detailed instructions relating to its operation with Cisco’s IOS and IOS XE infrastructure software.
“Cisco is aware of the recent joint technical alert that details known issues, which require customers take steps to protect their networks against cyber-attacks. Providing transparency and guidance to help customers best protect their network is a top priority,” a Cisco spokesperson said in a prepared statement emailed to eWEEK.
“Cisco security teams have been actively informing customers about the necessary steps to secure Smart Install and the other industry-wide protocols addressed in the joint alert through security advisories, blogs, and direct communications,” the statement said.
While the attacks on Cisco infrastructure are important because of that company’s dominance in infrastructure market globally, they are not the only company whose products are being targeted. In fact, virtually all such products are being targeted in one way or another. For this reason, the US CERT included a list of steps for potential attack targets, which means nearly anyone with a network.
- Don't allow unencrypted management protocols such as Telnet to enter your organization from the internet. If encryption using SSH, HTTPS or TLS are not possible, then use a VPN.
- Do not allow internet access to the management interface of any network device. You should allow access from inside the network only from a white listed device.
- Disable unencrypted protocols such as Telnet or SNMP v1 or v2. Retire legacy devices that cannot be configured with SNMP v3.
- Immediately change default passwords and enforce a strong password policy.
US-CERT also includes some steps for device manufacturers and Internet Service Providers as well as some mitigations for owners and operators beyond the general steps above.
- Specify in contracts with ISPs that only currently supported network equipment will be used and that it will be replaced if it becomes unsupported.
- Require that the ISP apply updates and security patches to networking equipment, or provide the patches and allow customers to field them.
- Block TFTP (trivial file transfer protocol, commonly used for management communications with devices) from leaving the organization to any external network, including the internet.
- Verify that OS updates actually come from the manufacturer and not from an untrusted third party.
- Check proprietary devices to confirm what OS is actually running. For example Cisco IOS also runs on Linksys and some Comcast devices.
It should go without saying that software updates and patches should be applied as soon as they’re available. Infrastructure equipment that can’t be updated, especially infrastructure used for home and small office applications should be replaced with equipment for which updates are available and which will be supported for a reasonable lifetime.
While definite numbers aren’t available, it appears that the Russian intrusions into networks in the U.S. and the UK have been relatively easy to accomplish, and fairly hard to detect. Partly this is because infrastructure equipment is frequently not updated, and in many cases cannot be updated.
For its part, Cisco is making security updates available to equipment without service contracts and has published the procedures for getting such updates in its security advisory.
As US-CERT notes in its Alert, whoever owns the router also owns the traffic. Taking over a router (or a switch or other device) effectively is the same as owning it. Unless infrastructure equipment is secured, the Bad Guys can do whatever they want to your network, including preventing you from using it.