Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The US and UK joint statement claims that Russian state-sponsored hackers are hacking routers to create man-in-the-middle scenarios for data harvesting.
- This is the latest of a string of reports over the last two months indicating that hackers are taking a particular interest in routers.
Russian state-sponsored hackers are leveraging vulnerabilities in routers and other network infrastructure devices to target governments, private-sector organizations, infrastructure providers, and ISPs, according to a joint statement issued on Monday from the United States Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the National Cyber Security Centre (NCSC) in the United Kingdom.
The report notes that routers are high value targets for attacks. Given the position routers play in normal network operations, the ability to utilize these devices in man-in-the-middle attacks is extremely attractive for attackers. Considering the multitude of models router vendors produce–and the difficulty of supporting and updating so many devices–the relative insecurity of routers (particularly devices intended for home or home office use) makes these devices low hanging fruit for hackers.
The methodology of these attacks appears to be primarily the relay of malicious SNMP and SMI commands, which result in configuration files being relayed back to the attackers. Of note, design flaws in SMI–otherwise known as Cisco Smart Install–were the subject of an alert from Cisco’s Talos Intelligence team, which warned earlier this month that nation state actors were leveraging the protocol to gain control of critical infrastructure, though the report stopped short of naming which nation was responsible. Days later, a report from Kaspersky Lab indicated that someone was using the same methods to attack vulnerable systems in Russia and Iran, leaving behind the message “Don’t mess with our elections” followed by an ASCII rendition of the American flag.
SEE: Quick glossary: Home office network routers (Tech Pro Research)
The joint report indicates that once attackers have exploited SMI commands, “for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers,” which allows the attacker to act as a man-in-the-middle, further enabling them to exfiltrate additional network configuration data, modify device configurations, copy OS data to an external server, create GRE tunnels, and mirror or redirect network traffic.
In order to avoid risks to your organization, the report advises blocking Telnet use entirely as well as SNMPv1 and v2c, and analyzing logs for any SNMP traffic, noting that “Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection.”
Additional mitigations include standard precautions such as not duplicating passwords between devices, not using default device passwords, and not allowing internet access to the management interface of devices.
Because routers exist as an always-on and often infrequently-updated system, they have been under attack by other hackers as well. A targeted phishing campaign called Roaming Mantis, found primarily in South Korea, changed DNS settings on routers, pointing users to malicious websites that, in turn, prompted users to “update” apps on Android phones to deliver a payload that harvested credentials, including those for two-factor authentication.
SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | download the PDF version
Likewise, Akamai published a report (PDF) earlier this month detailing a coordinated abuse of flawed implementations of UPnP on routers allowing hackers to inject NAT rules, creating a proxy for hackers to disguise the origin of their traffic. Akamai’s report indicated they found 65,000 routers compromised in this way, with over 4.8 million routers potentially vulnerable.
In March, a separate report from Kaspersky Lab detailed the Slingshot malware, which targeted individuals, government agencies, and organizations located primarily in Kenya, Yemen, Libya, and Afghanistan. Mikrotik routers were leveraged in the attack, though the exact attack method is unknown. Kaspersky pointed to the “Chimay Red” exploit published by WikiLeaks as part of the “Vault 7” trove of vulnerabilities that WikiLeaks claimed originated from the CIA. That exploit had been patched some time ago, though security researcher Lorenzo Santina claimed that Mikrotik’s RouterOS was a “mine of vulnerability,” noting that related attacks such as Chimay Blue may have been used instead.