On 16/04/18, a joint Technical Alert1 was issued combining analysis from the Department of Homeland Security, the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC). The alert collates information on global cyber exploitation of network infrastructure devices. The report outlines the steps an adversary will go through to discover, exploit, and establish persistence in order to gain access to victim networks, extract data and lay foundations for future activities. The report makes attribution to Russian state-sponsored cyber actors.
The report does not identify any previously unknown attack vectors. Rather, it sets out a methodology of how they can be combined to achieve an advanced level of compromise on using legacy protocols or poorly configured devices. As an organisation, we have been tracking these issues and have published advisories to customers of Security Threat Intelligence.
What is affected?
Networking devices e.g. switches, routers (predominantly Cisco but also including other vendors such as Juniper and MikroTik) have been targeted. The actors make use of weak or default configurations to targeted poorly secured management interfaces.
Exposed protocols targeted include:
- Cisco Smart Install (SMI) Enabled Devices
- Simple Network Management Protocol (SNMP) Enabled Network Devices
- Telnet and SSH management interfaces
- HTTP / HTTPS management interfaces
- Generic Routing Encapsulation (GRE) Enabled Devices
Risk ratings are assessed based on the IMPACT that the threat poses against the LIKELIHOOD of the threat occurring. Organisations need to conduct their own risk assessment based on their security posture and their own assessment of vulnerability against the information contained in this advisory. On that basis, the risk assessed as 2a HIGH (likelihood = LIKELY, impact = VERY HIGH). However, it must be reiterated that organisations need to assess their own position.
The Technical Alert sets out comprehensive advice and guidance for mitigation and the appropriate steps should be followed for your organisation. We advise that you also refer to your vendor’s guidance for secure deployment of their devices.
We works at the forefront of cyber security and has been closely tracking the tools, techniques and procedures (TTPs) detailed in the report for some time. Based on this research and experience, we would advise the following immediate steps that you should take to ensure the integrity of your networks and devices.
Examine your estate for exposed services that are vulnerable or have weaknesses that are detailed in the report. If you find any of the following, then take steps to harden and consider taking action to ensure the integrity of the device and your network.
- Smart Install exposed to the internet, and as a secondary consideration any internally exposed devices.
- SSH / Telnet / HTTP(S) management interfaces exposed with weak / default credentials e.g. cisco:cisco.
- Insecure SNMP implementations such as default / weak community strings e.g. public / private, no access list applied, internet-facing SNMP v1/2c communities with read-write permissions.
- Check authentication logs for any anomalous authentication attempts or successful logins e.g. authentications from an IP address that is not recognised as a management source.
- Check device logs for anomalous commands or events (see Appendix A and B of the NCSC report for further details).
- Examine logs of network traffic for signs of reconnaissance or successful exploitation such as port scanning, SNMP requests, and unexpected FTP / TFTP transfers, GRE tunnels to unknown destinations or established SMI connections on port TCP/4786.
- If you find evidence of unauthorised access to devices, follow your Incident Response process but ensure that you consider:
- Use of vendor supplied documentation to ensure the device’s software has not been tampered with
- Assessing what credentials and other sensitive information or data may have been exposed and responding accordingly.
- Reviewing the entire estate to establish if problems exist on other devices.
Standard mitigation practices
These actions are not necessarily less important than the priority actions included above, but may take more time to implement. These should also be part of your organisation’s standard security practices.
- Regularly review vendor security guidance and ensure it is implemented on devices used in your networks. This should not be a one-off exercise.
- Segregate the management of your network devices from the network that they carry. If this cannot be carried out, then restrict access to trusted management systems only, using access control. Disable all unnecessary services.
- Migrate away from use of legacy management protocols such as Telnet on SNMP v2c. If this is not possible, protect the protocol within other encryption layers such as VPN.
- Monitor for and alert on unauthorised or unexpected changes in device configuration.
- Implement centralised authentication and ensure that devices and users do not share credentials. Consider using two factor authentication for privileged access.
- Implement regular reviews of device software updates and implement upgrades where appropriate.
- Implement network segregation and restrict outbound connectivity from your devices.