Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting

Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting
Russian FSB Center 16 actors are exploiting poorly configured routers and other networking devices worldwide, with a focus on critical infrastructure sectors such as communications, energy, government, and healthcare. The advisory recommends disabling Cisco Smart Install, upgrading to SNMPv3, restricting management access, and patching vulnerable devices to reduce exposure to this long-running activity. #FSBCenter16 #CiscoSmartInstall #SNMPv3 #TFTP #CVE-2008-4128

Keypoints

  • Russian FSB Center 16 cyber actors are continuing decade-plus operations against poorly configured and vulnerable networking devices.
  • The activity opportunistically targets critical infrastructure networks worldwide, including communications, defense industrial base, energy, financial services, government, and healthcare.
  • The main intrusion method is scanning for Internet-facing routers with SNMP agents that accept default or common community strings.
  • Actors use spoofed SNMP Set-Requests to trigger configuration collection and transfer files such as “config.bkp” or “output.txt” to actor-controlled infrastructure.
  • They also exploit known Cisco vulnerabilities, Cisco Smart Install, and web portals for network device management when available.
  • The advisory highlights mitigation steps such as disabling SNMPv1/v2 and Cisco Smart Install, using SNMPv3, restricting management access, and blocking risky ports and protocols.
  • The report notes overlap with tactics used by other groups, including Salt Typhoon, and provides MITRE ATT&CK mappings and defensive guidance.

MITRE Techniques

  • [T1595.001] Active Scanning: Scanning IP Blocks – The actors scan Internet IP ranges to find exposed devices [(‘scan range of IP addresses’)]
  • [T1595.002] Active Scanning: Vulnerability Scanning – They scan for vulnerable or misconfigured devices that can be exploited [(‘scan victims for vulnerabilities that can be used during targeting’)]
  • [T1583.003] Acquire Infrastructure: Virtual Private Servers – They use leased VPS infrastructure to receive stolen data and support operations [(‘transfer the file … to an actor-controlled leased virtual private server (VPS)’)]
  • [T1584.008] Compromise Infrastructure: Network Devices – They compromise intermediate routers as part of their infrastructure [(‘compromise intermediate routers’)]
  • [T1588.005] Obtain Capabilities: Exploits – They use publicly available exploit code against vulnerable devices [(‘use publicly available code to exploit vulnerable devices’)]
  • [T1190] Exploit Public-Facing Application – They exploit public-facing Cisco CVEs and management portals [(‘exploit publicly known CVEs’)]
  • [T1090] Proxy – They run scans via proxies and use VPS/compromised servers as relay infrastructure [(‘scans, run via proxies’)]
  • [T1569] System Services – They execute commands through SNMP on network devices [(‘executing commands via SNMP’)]
  • [T1068] Exploitation for Privilege Escalation – They exploit known CVEs to gain elevated access [(‘exploit publicly known CVEs for escalated privileges’)]
  • [T1027] Obfuscated Files or Information – They spoof the source IP address so activity appears to come from another host [(‘containing … from a spoofed IP address’)]
  • [T1003] OS Credential Dumping – They collect router configurations containing weak Cisco password types [(‘collect router configuration with weak Cisco Type 7 passwords and Type 0’)]
  • [T1602.001] Data from Configuration Repository: SNMP (MIB Dump) – They target MIB data to gather network information [(‘Target MIB to collect network information via SNMP’)]
  • [T1602.002] Data from Configuration Repository: Network Device Configuration Dump – They copy device configs to obtain credentials and settings [(‘copy its configuration to a file’)]
  • [T1071] Application Layer Protocol – They use TFTP and FTP to move data and expose services [(‘including TFTP and FTP’)]
  • [T1048] Exfiltration Over Alternative Protocol – They exfiltrate data over TFTP instead of the primary C2 channel [(‘Exfiltrating over a different protocol than that of the existing command and control channel’)]

Indicators of Compromise

  • [File names] configuration copies collected from routers – “config.bkp”, “output.txt”
  • [OIDs] SNMP configuration-copy activity and server target location – 1.3.6.1.4.1.9.9.96.1.1, 1.3.6.1.4.1.9.9.96.1.1.1.1.5
  • [Ports/protocols] management and exfiltration traffic to watch for – UDP 69 (TFTP), TCP 4786 (Cisco Smart Install), UDP 161/162 (SNMP)
  • [Port/protocols] SNMPv3 and related management traffic – TCP/UDP 10161/10162
  • [CVE] vulnerable Cisco device exploitation mentioned in the advisory – CVE-2008-4128, and other unspecified Cisco CVEs
  • [Threat group names] related actor naming used by industry – Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, Static Tundra


Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a