Cisco’s Talos security intelligence group issued a warning about an uptick in highly sophisticated attacks on network infrastructure including routers and firewalls.
The Cisco warning piggybacks a similar joint warning issued today from The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) that noted an uptick in threats in part utilising an exploit that first came to light in 2017. That exploit targeted an SNMP vulnerability in Cisco routers that the vendor patched in 2017.
But as Cisco and the government agencies noted, similar exploits are being aimed at a broad set of multivendor networking gear, potentially including Juniper, Extreme, Allied-Telesis, HP and others.
“The warning involves not just Cisco equipment, but any networking equipment that sits at the perimeter or that might have access to traffic that a significantly capable and well-tooled adversary might have an interest in intercepting and modifying,” said JJ Cummings, Cisco Talos Threat Intelligence & Interdiction team lead. Cummings leads the Talos team tasked with nation-state, critical infrastructure, law enforcement, and intelligence-based concerns.
In a blog noting the increase in threats, Cisco Talos wrote: “We have observed traffic manipulation, traffic copying, hidden configurations, router malware, infrastructure reconnaissance, and active weakening of defenses by adversaries operating on networking equipment. Given the variety of activities we have seen adversaries engage in, they have shown a very high level of comfort and expertise working within the confines of compromised networking equipment.”
National intelligence agencies and state-sponsored actors across the globe have attacked network infrastructure as a primary target, Cisco stated. “Route/switch devices are stable, infrequently examined from a security perspective, are often poorly patched and provide deep network visibility.”
“The idea here is to get the messaging out that network operations teams need to maybe start to approach things slightly differently or at least be more mindful from a security perspective, because there are significantly capable adversaries that are targeting their infrastructure that may or may not, in many of the cases, been significantly tooled or monitored, or updated,” Cummings said.
“What we do see primarily is threats targeting those devices and with these types of attacks, somewhat aging—and certainly outdated from a software perspective—devices,” Cummings said. “What we what we see in almost every instance that I can think of, is the adversary also having some level of pre-existing access to one degree or another to that device.”
Cisco noted a number of specific growing threats including:
- The creation of Generic Router Encapsulation (GRE) tunnels and the hijacking of DNS traffic, giving the actor the ability to observe and control DNS resolution.
- Modifying memory to reintroduce vulnerabilities that had been patched so the actor has a secondary path to access.
- Modification of configurations to move the compromised device into a state that lets the actor execute additional exploits.
- Installation of malicious software into an infrastructure device that provides additional capabilities to the actor.
- The masking of certain configurations so that they can’t be shown by normal commands.
Recommended precautions include updating software.
As for what can be done to protect networking infrastructure, the biggest and perhaps most obvious step is keeping software up-to-date, Cummings said. “If you fix the vulnerabilities, and you’re running current software, it’s not going to certainly, completely eliminate your risk. But if I get rid of 10 CVEs, that dramatically reduces my risk footprint,” Cummings said.
He recommends increasing visibility into device behavior, “because with without visibility, I can’t necessarily catch the bad guy doing the bad guy things. I need to be able to see and understand any change or access that happens to that fully updated device." Similarly, strictly locking down access to those devices makes it much harder for attackers to get to them, he said.
The blog also suggests:
- Select complex passwords and community strings; avoid default credentials.
- Use multi-factor authentication.
- Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF)
- Lock down and aggressively monitor credential systems.
- Do not run end-of-life hardware and software.