Russian FSB Center 16 actors are exploiting poorly configured routers and other networking devices worldwide, with a focus on critical infrastructure sectors such as communications, energy, government, and healthcare. The advisory recommends disabling Cisco Smart Install, upgrading to SNMPv3, restricting management access, and patching vulnerable devices to reduce exposure to this long-running activity. #FSBCenter16 #CiscoSmartInstall #SNMPv3 #TFTP #CVE-2008-4128
Keypoints
- Russian FSB Center 16 cyber actors are continuing decade-plus operations against poorly configured and vulnerable networking devices.
- The activity opportunistically targets critical infrastructure networks worldwide, including communications, defense industrial base, energy, financial services, government, and healthcare.
- The main intrusion method is scanning for Internet-facing routers with SNMP agents that accept default or common community strings.
- Actors use spoofed SNMP Set-Requests to trigger configuration collection and transfer files such as âconfig.bkpâ or âoutput.txtâ to actor-controlled infrastructure.
- They also exploit known Cisco vulnerabilities, Cisco Smart Install, and web portals for network device management when available.
- The advisory highlights mitigation steps such as disabling SNMPv1/v2 and Cisco Smart Install, using SNMPv3, restricting management access, and blocking risky ports and protocols.
- The report notes overlap with tactics used by other groups, including Salt Typhoon, and provides MITRE ATT&CK mappings and defensive guidance.
MITRE Techniques
- [T1595.001] Active Scanning: Scanning IP Blocks â The actors scan Internet IP ranges to find exposed devices [(âscan range of IP addressesâ)]
- [T1595.002] Active Scanning: Vulnerability Scanning â They scan for vulnerable or misconfigured devices that can be exploited [(âscan victims for vulnerabilities that can be used during targetingâ)]
- [T1583.003] Acquire Infrastructure: Virtual Private Servers â They use leased VPS infrastructure to receive stolen data and support operations [(âtransfer the file ⌠to an actor-controlled leased virtual private server (VPS)â)]
- [T1584.008] Compromise Infrastructure: Network Devices â They compromise intermediate routers as part of their infrastructure [(âcompromise intermediate routersâ)]
- [T1588.005] Obtain Capabilities: Exploits â They use publicly available exploit code against vulnerable devices [(âuse publicly available code to exploit vulnerable devicesâ)]
- [T1190] Exploit Public-Facing Application â They exploit public-facing Cisco CVEs and management portals [(âexploit publicly known CVEsâ)]
- [T1090] Proxy â They run scans via proxies and use VPS/compromised servers as relay infrastructure [(âscans, run via proxiesâ)]
- [T1569] System Services â They execute commands through SNMP on network devices [(âexecuting commands via SNMPâ)]
- [T1068] Exploitation for Privilege Escalation â They exploit known CVEs to gain elevated access [(âexploit publicly known CVEs for escalated privilegesâ)]
- [T1027] Obfuscated Files or Information â They spoof the source IP address so activity appears to come from another host [(âcontaining ⌠from a spoofed IP addressâ)]
- [T1003] OS Credential Dumping â They collect router configurations containing weak Cisco password types [(âcollect router configuration with weak Cisco Type 7 passwords and Type 0â)]
- [T1602.001] Data from Configuration Repository: SNMP (MIB Dump) â They target MIB data to gather network information [(âTarget MIB to collect network information via SNMPâ)]
- [T1602.002] Data from Configuration Repository: Network Device Configuration Dump â They copy device configs to obtain credentials and settings [(âcopy its configuration to a fileâ)]
- [T1071] Application Layer Protocol â They use TFTP and FTP to move data and expose services [(âincluding TFTP and FTPâ)]
- [T1048] Exfiltration Over Alternative Protocol â They exfiltrate data over TFTP instead of the primary C2 channel [(âExfiltrating over a different protocol than that of the existing command and control channelâ)]
Indicators of Compromise
- [File names] configuration copies collected from routers â âconfig.bkpâ, âoutput.txtâ
- [OIDs] SNMP configuration-copy activity and server target location â 1.3.6.1.4.1.9.9.96.1.1, 1.3.6.1.4.1.9.9.96.1.1.1.1.5
- [Ports/protocols] management and exfiltration traffic to watch for â UDP 69 (TFTP), TCP 4786 (Cisco Smart Install), UDP 161/162 (SNMP)
- [Port/protocols] SNMPv3 and related management traffic â TCP/UDP 10161/10162
- [CVE] vulnerable Cisco device exploitation mentioned in the advisory â CVE-2008-4128, and other unspecified Cisco CVEs
- [Threat group names] related actor naming used by industry â Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, Static Tundra
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a