There is a new hack in town that involves compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers. The Russian government-sponsored actors are using the compromised devices to perform man-in-the-middle attacks that extract passwords, intellectual property, and other sensitive information, and to lay the groundwork for potential intrusions in the future.
This recent alert identified multiple stages in the hacker campaign. They included:
- reconnaissance, in which the hackers identify Internet-exposed network ports used for telnet, simple network management protocol, Cisco Smart Install, and similar services
- weaponization and delivery of traffic to vulnerable devices that cause them to send configuration files that contain cryptographically hashed passwords and other sensitive data
- exploitation, in which attackers use previously obtained credentials to access the devices
- installation, using the Cisco Smart Install technology
- command and control, where the attackers masquerade as legitimate users or establish a connection through a previously installed backdoor
What Can Be Done?
- Network devices are primary targets, ensure these devices are patched regularly.
- Practice overall good patch management. This breach focuses on weak links, so ensuring all systems and applications are up-to-date will greatly reduce vulnerabilities.
- Take patching beyond workstations and servers – IOT devices (printers, cameras, etc) can also be affected.
BMT performs routine patching of all equipment for our Managed Service clients. If you have any additional questions regarding this breach or other potential vulnerabilities, please contact us. For more information on this technical alert, issued by the US Department of Homeland Security and FBI and the UK’s National Cyber Security Center, click here.
