Has a nation-state pwned your routers?

|
Updated

Howdy Folks! In case you missed the NSA’s post about it, they released a joint Cybersecurity Advisory (CSA) with several U.S. and international partner agencies to provide guidance on router hygiene. Specifically, this CSA and its recommended mitigations are focused on reducing the threat from Russian FSB Center 16 and other adversarial cyber actors. The threat from these malicious actors is not limited to U.S. federal entities only; the FSB’s targets include, but are not limited to the following sectors:

  • Communications
  • Defense Industrial Base
  • Energy
  • Financial Service
  • Government Services and Facilities, especially state and local level entities
  • Healthcare and Public Health

The attack strategy #

The threat actors are using a multi-step process to steal and exfiltrate router configurations for future exploitation, including:

  1. Scanning Internet IP Ranges for devices using default community strings for SNMPv1 and 2
  2. Once discovered, SNMP commands are executed against the devices
  3. Router configuration is copied off and sent via TFTP
  4. The cyber actor accesses the stolen data.

The CSA guidance calls out six mitigation actions to help defenders protect their environments:

  1. Disable Cisco Smart Install on all devices
  2. Discontinue use of and disable SNMPv1 and v2. Use SNMPv3 with ‘authPriv’ configured to modernize encryption
  3. Use strong and unique passwords for local accounts on network devices and configure secure storage for credentials
    1. Avoid using Cisco hashing other than type 8.
  4. Monitor and restrict access to SNMP OID’s using a MIB allow-list.
    1. Monitor and configure IDS rules for SNMP Set-Requests that target OIDs that have access to target sensitive data
  5. Restrict and monitor management protocols
    1. On edge devices, deny or strictly monitor:
      1. TFTP (UDP 69)
      2. SMI (TCP 4786)
      3. SNMP (UDP 161 and 162)
      4. SNMPv3 (TCP/UDP 10161 and 10162)
  6. Ensure network devices are running up to date software and firmware packages. Patch known vulnerabilities, and replace end of life (EOL) devices.

How runZero can help #

runZero can help federal agencies, financial institutions, critical infrastructure, and everyone in between to quickly and efficiently implement the mitigations the advisory recommends. By scanning your internal and external attack surface, runZero can ensure that you are in a strong defensive posture against adversarial cyber actors by allowing you to:

  1. Identify all Cisco devices with Cisco Smart Install enabled, and what interface its enabled on, with a native Vulnerability finding
  1. Identify default SNMPv2 and v2 community strings with a native SNMP defaults finding:

  1. Identify all instances of SNMPv1 or v2 with:
    protocol:snmp AND (protocol:snmp1 or protocol:snmp2)
    1. Or, to just find all instance of SNMP running with just protocol:snmp
  1. Identify any and all management protocols, even over non standard ports:
  1. Discovery of EOL network devices with a native finding of EOL devices, including a finding for edge devices as they pertain to BOD 26-02:

If you aren’t certain that your network is properly protected against this threat vector, contact us today or sign up for a free trial at: https://www.runzero.com/try/.

Written by Colin Dupreay

Colin is a Federal Solutions Engineer at runZero. With almost a decade of experience supporting Public Sector customers, Colin is passionate about protecting and securing our nations networks.

More about Colin Dupreay
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more runZero

Product
Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
Product Videos
runZero 5.0: Platform Demo
With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
runZero Perspective
BOD 26-04: A new era of prioritized remediation
A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
runZero Perspective
Dawn of the apex agentic adversary
When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
Podcasts
The shadow era AI, exploits, and cybersecurity's 90s comeback
HD Moore explains how AI is turning hacking back to the 90s, generating permanent exploit skeleton keys and breaking traditional defense.
Talks
Identifying exposures at scale with BloodHound OpenGraph
Traditional exposure management misses hidden attack paths. Learn how BloodHound and Cypher queries can uncover vulnerabilities beyond individual...
Podcasts
When is a vulnerability not a vulnerability?
Attackers care about outcomes, not CVEs. Tod Beardsley joins Distilled Security to discuss reframing risk from checklist compliance to adversary...
Podcasts
Know Your Adversary with HD Moore
runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.