A joint technical alert issued on Monday by the United States and the United Kingdom details how cyberspies believed to be working for the Russian government have abused various networking protocols to breach organizations.
According to the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC), the hackers targeted routers, switches, firewalls, and network-based intrusion detection systems (NIDS). Their main targets have been government and private-sector organizations, critical infrastructure operators, and their Internet service providers (ISPs).
“FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations,” the report reads.
The first technical report from the DHS and FBI accusing Russia of cyberattacks was the GRIZZLY STEPPE report published in December 2016. Another technical report blaming Russia for cyber operations was published in March, when the U.S. accused Moscow of campaigns targeting the energy and other critical infrastructure sectors. The alert on critical infrastructure attacks was first released in October 2017, but the attacks had not been openly attributed to Russia at the time.
The latest technical alert focuses on the tactics, techniques, and procedures (TTPs) used by Russian threat actors, specifically the networking protocols they have abused in their attacks. According to authorities, the attackers identify vulnerable devices, extract their configuration, map internal network architectures, harvest login credentials, and use them to gain access to the system as privileged users. The hackers then modify the targeted device’s firmware, operating system and configuration so that the victim’s traffic is redirected through their own infrastructure.
In the reconnaissance phase of their campaign, the attackers scan the Web for devices that have Internet-facing ports and services. The targeted protocols include Telnet, HTTP, the Simple Network Management Protocol (SNMP) and Cisco’s Smart Install (SMI).
Data collected during these initial scans can help the cyberspies obtain information about the devices and the organizations using them.
In the weaponization and delivery phases of the attack, hackers send specially crafted SNMP and SMI messages that cause the targeted device to send its configuration file to an attacker-controlled server via Trivial File Transfer Protocol (TFTP). The configuration file can contain password hashes and other information that can be useful to the threat actor.
Legitimate credentials can also be obtained through brute-force attacks and other methods, and they ultimately allow the hackers to access the device via Telnet, SSH, or its web management interface.
The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Attackers can abuse the SMI protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new OS image, and execute high-privilege commands.
Hackers have been abusing insecurely configured SMI installations since 2016 when an exploitation tool was made public. Researchers also discovered recently that Smart Install is affected by a critical vulnerability (CVE-2018-0171) that can be exploited for remote code execution, but there is no indication that this flaw has been used in attacks.
Cisco has warned organizations about the risks associated with Smart Install since 2016 and it recently issued a new warning following the discovery of CVE-2018-0171. The networking giant says the protocol has been abused in critical infrastructure attacks by the Russia-linked threat group known as Dragonfly (aka Crouching Yeti and Energetic Bear).
Once they access a device with compromised credentials or via a backdoor planted by uploading a malicious OS image, attackers can mirror or redirect the victim’s traffic through their own network, the agencies said in their report. One other protocol cyberspies have abused while in a man-in-the-middle (MitM) position is Generic Routing Encapsulation (GRE), a tunneling protocol developed by Cisco.
“Cyber actors are not restricted from modifying or denying traffic to and from the victim,” the technical alert reads. “Although there are no reports of this activity, it is technically possible.”
The report from the FBI, DHS and NCSC also includes recommendations on how organizations can defend themselves against these types of attacks.