The news media seems obsessed with Russians. Whether it is their involvement in the election, relationship with Donald Trump, or assassinating ex-spies, there doesn’t seem to be a day without some scandal involving the Russians. On April 16th the United States Computer Emergency Readiness Team (US-CERT), a part of the Department of Homeland Security, released TA18-106A. US-CERT releases Technical Alerts (TA) to provide timely information about current security issues, vulnerabilities, and exploits. You can subscribe to these alerts on their website (us-cert.gov). I have received these alerts for years; many are very technical and some are not related to our clients or YHB but they are generally timely and enlightening.
Maybe I am naive but I don’t understand why the Russians have become our enemies over the last few years. The TA states that the US Government has received information from multiple sources, both public and private, that cyber-actors have been exploiting routers and switches, worldwide, since 2015. The US Government assesses that cyber actors supported by the Russian government carried out this campaign to exploit these devices. Again, maybe I am naïve but I trust our government and will take what they say as true. Whoever the cyber-actors or their supporters might be, there is a lot of good security information in this Alert about the process of the attacks and how to defend yourself.
I recommend reading this TA for the details but I will highlight some items that I found interesting.
A great statement to remember: “Own the Router, Own the Traffic.” If a cyber-actor assumes a presence on a gateway router they can then monitor, modify, and deny traffic to and from the organization. If the actor assumes a presence on an internal router or switch, they could capture information plowing across these devices and potentially acquire credentials to other systems and other information from the network. Many times the updating and patching of these infrastructure devices takes a backseat to other patching processes. You should make sure that these systems are maintained and updated proactively.
The alert describes the attacks in 6 stages. Here is how the TA described these stages:
Stage 1: Reconnaissance; Actors scan internet addresses looking for identifiable services available and open ports. This can lead to identification of devices and vulnerable systems.
Stage 2: Weaponization and Stage 3: Delivery; Using specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor controlled host. The Configuration file can then be analyzed and used to derive legitimate credentials.
Stage 4: Exploitation; “Legitimate user masquerade” was found to be the primary method to exploit the targets. Once they have legitimate credentials they can authenticate to the device remotely through Telnet, SSH, or the web management interface.
Stage 5: Installation; In November 2016, Smart Install Exploitation Tool (SEIT) was posted on the Internet. This tool takes advantage of the unauthenticated management protocol SMI that allows an administrator to remotely install and overwrite the Cisco router or switch configuration file. With this capability, the cyber-actor can “modify the device configuration or upload maliciously modified OS or firmware.”
Stage 6: Command and Control; Once the cyber-actor can masquerade as a legitimate user they can freely login and use these devices to create a man-in-the-middle scenario from which they can extract more information or capture data traffic.
There are more details in the TA as well as some solutions to guard against these types of attacks. I recommend reading this alert as well as subscribing to these alerts from US-CERT. While not all will apply to your environment, it does provide good timely information. As the saying goes: Knowledge is Power. The bad guys know this saying and we need to stay a step ahead of them!
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.