Cisco equipment exploited by Russian spies for spying purposes
In a recent security advisory, Cisco Talos has warned that the known vulnerability CVE-2018-0171, found in the Smart-Install feature of Cisco-IOS software, is currently being actively exploited by sophisticated, state-sponsored or state-affiliated APT groups, such as the Russian cyberspy group Static Tundra.
Static Tundra's primary objective is to steal configuration data and establish permanent access to networks. The group has been using advanced methods, including the SYNful Knock firmware implant and custom-developed SNMP tools. Their attacks can result in a denial-of-service situation or the execution of arbitrary code on affected devices.
The group has been targeting organizations in various sectors, including telecommunications, higher education, and manufacturing, across North America, Asia, Africa, and Europe. Particularly affected countries include Canada and Ukraine, with the group known for targeting government, military, and defense sectors.
To mitigate the risk, Cisco Talos recommends that customers install the patch for CVE-2018-0171 immediately. For those who cannot apply the patch, disabling the Smart Install service is advised. If Smart Install cannot be disabled, end-of-life management plans should be developed for technologies too old for patches.
In addition to patching or disabling the Smart-Install feature, companies are encouraged to disable Telnet and ensure it's not available on any of the virtual teletype lines (VTY) on Cisco devices. This can be achieved by configuring all VTY stanzas with "transport input ssh" and "transport output none".
Furthermore, comprehensive monitoring of authentication, authorization, and command execution is essential. Implementing configuration management according to best practices, including regular audits, is also recommended. Monitoring Syslog and AAA protocols for unusual activities, such as a decrease in normal logging events or a gap in logged activities, can help detect potential intrusions.
To detect changes in network devices, create profiles (fingerprint via NetFlow and port scanning) of your network devices. Develop NetFlow transparency, if possible, to detect unusual volumetric changes. Look for non-empty or unusually large .bash_history files as indicators of potential unauthorised access.
Lastly, utilise the Cisco Hardening Guides when configuring devices. Monitor your environment for unusual changes in behaviour or configuration to ensure the security of your network.
In the face of increasing cyber threats, it is crucial for organisations to stay vigilant and proactive in securing their networks and systems. By following the recommended best practices and staying updated on security advisories, companies can better protect themselves against sophisticated cyber attacks like those from Static Tundra.
