ASD recommends improving router hygiene to counter Russian threat
The Australian Signals Directorate (ASD) has taken part in releasing a joint Cybersecurity Advisory (CSA) warning that Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks.
This CSA builds on the FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques and procedures (TTPs) to enable defenders to more fully understand and counter the threat.
The authoring and co-sealing agencies involved in the CSA strongly urge device owners and network defenders to take mitigation and remediation actions against Russian Government-sponsored exploitation of vulnerable routers.
Adversary techniques involve scanning using SNMP requests to IP addresses looking for devices responding with SNMP v1/v2, then attempting to gain router access using default or common SNMP community strings. Successful SNMP access lets the actor use OIDs to command the router to copy its configuration and send it via TFTP to a VPS leased by the actor or a compromised FTP server.
Mitigation actions
The following basic mitigation actions are recommended:
- Implement SNMP v3: Configure SNMP v3 on network devices as it replaces insecure community strings with strong authentication and securely encrypts data.
- Secure passwords: Store passwords securely in network device configurations to prevent reuse of passwords from compromised devices. On Cisco devices, use Type 8 passwords, and avoid insecure Type 0, 4 and 7.
- Disable Cisco Smart Install: Cisco Smart Install is a feature designed for initial router configuration; however, it can introduce security risks if left enabled. Be sure to disable it once the initial configuration is complete.
- Block SNMP, TFTP and SMI at the firewall: Deny inbound and outbound traffic on UDP port 69 (TFTP), TCP port 4786 (SMI), UDP ports 161/162 (SNMP), and TCP/UDP ports 10161/10162 (SNMP v3) at edge firewall devices.
Targeting details
Critical infrastructure sectors most at risk from the Russian Federal Security Service (FSB) Center 16 cyber actors’ targeting include: communications, the defence industrial base, energy, financial services, government services and facilities (especially at the state and local level) and health care.
While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices.
More detailed mitigation advice can be found here.
ACSC releases cybersecurity video training for privileged users
A series of training videos offers a practical, engaging way for privileged information and...
ACSC critical alert for Fortinet Firewalls and VPN Gateways
The Australian Cyber Security Centre has raised an alert that it is aware a widespread malicious...
Home Affairs announces Horizon 2 of national cybersecurity strategy
The Department of Home Affairs has announced a new program of work under Horizon 2 of the...
