USCert issued a joint Technical Alert informing the public of widespread attacks by Russian state-sponsored actors against network infrastructure devices. Targets are not limited to any one sector as the hackers both look for targets of opportunities as well as specifically targeting particular organizations (none are specifically identified however).
The Russian actors are compromising routers to conduct man-in-the-middle attacks in order to capture credentials or hijack sessions that will allow both infection of and remote access to targeted devices. These attacks are intended to support Russian FSB espionage efforts, steal intellectual property, and maintain persistence in the compromised network for future offensive operations.
Please take the time to read through the USCert alert located here for more specific details and indicators.
No organization is exempt from potential targeting, however, it does appear likely that those in the government, advanced technology, financial, energy, or critical infrastructure services are most likely to be targeted.
Successful exploitation could result in significant loss of data for your organization. It would also require very thorough incident response and very close monitoring moving forward due the persistence mechanisms employed.
While the potential impact should compromise occur be considered HIGH, we do assess that the likelihood is low for those organizations that keep their systems patched and updated.
- Do not allow unencrypted management protocols (such as Telnet or SMB) to enter the organization from the Internet.
- Do not allow Internet access to the management interface of any network device. Ideally, block internet-sourced access to the device management interface and restrict the device management to an internal trusted and whitelisted host.
- Disable legacy protocols such as Telnet and SNMPv1 or v2c. Use encryption protocols such as SSH and SNMPv3.
- Replace legacy devices that cannot be configured to use SNMPv3
- Immediately change default passwords and enforce a strong password policy.
Suggested detection strategies:
- Use of port 23 Telnet activity involving trusted and untrusted hosts
- Anomalous use of SNMP and TFTP (ports 161/162) between trusted and untrusted hosts
- Activity potentially using SMI (port 4786) between trusted and untrusted hosts
- Identification of GRE Tunneling (under construction)