Howdy Folks! In case you missed the NSA’s post about it, they released a joint Cybersecurity Advisory (CSA) with several U.S. and international partner agencies to provide guidance on router hygiene. Specifically, this CSA and its recommended mitigations are focused on reducing the threat from Russian FSB Center 16 and other adversarial cyber actors. The threat from these malicious actors is not limited to U.S. federal entities only; the FSB’s targets include, but are not limited to the following sectors:
- Communications
- Defense Industrial Base
- Energy
- Financial Service
- Government Services and Facilities, especially state and local level entities
- Healthcare and Public Health
The attack strategy #
The threat actors are using a multi-step process to steal and exfiltrate router configurations for future exploitation, including:
- Scanning Internet IP Ranges for devices using default community strings for SNMPv1 and 2
- Once discovered, SNMP commands are executed against the devices
- Router configuration is copied off and sent via TFTP
- The cyber actor accesses the stolen data.

Recommended actions for mitigating these attacks #
The CSA guidance calls out six mitigation actions to help defenders protect their environments:
- Disable Cisco Smart Install on all devices
- Discontinue use of and disable SNMPv1 and v2. Use SNMPv3 with ‘authPriv’ configured to modernize encryption
- Use strong and unique passwords for local accounts on network devices and configure secure storage for credentials
- Avoid using Cisco hashing other than type 8.
- Monitor and restrict access to SNMP OID’s using a MIB allow-list.
- Monitor and configure IDS rules for SNMP Set-Requests that target OIDs that have access to target sensitive data
- Restrict and monitor management protocols
- On edge devices, deny or strictly monitor:
- TFTP (UDP 69)
- SMI (TCP 4786)
- SNMP (UDP 161 and 162)
- SNMPv3 (TCP/UDP 10161 and 10162)
- On edge devices, deny or strictly monitor:
- Ensure network devices are running up to date software and firmware packages. Patch known vulnerabilities, and replace end of life (EOL) devices.
How runZero can help #
runZero can help federal agencies, financial institutions, critical infrastructure, and everyone in between to quickly and efficiently implement the mitigations the advisory recommends. By scanning your internal and external attack surface, runZero can ensure that you are in a strong defensive posture against adversarial cyber actors by allowing you to:
- Identify all Cisco devices with Cisco Smart Install enabled, and what interface its enabled on, with a native Vulnerability finding

- Identify default SNMPv2 and v2 community strings with a native SNMP defaults finding:

- Identify all instances of SNMPv1 or v2 with:
protocol:snmp AND (protocol:snmp1 or protocol:snmp2) - Or, to just find all instance of SNMP running with just
protocol:snmp

- Identify any and all management protocols, even over non standard ports:

- Discovery of EOL network devices with a native finding of EOL devices, including a finding for edge devices as they pertain to BOD 26-02:

If you aren’t certain that your network is properly protected against this threat vector, contact us today or sign up for a free trial at: https://www.runzero.com/try/.