You are on the Cert-IST public site
Cyber-espionage, geopolitics and attacks against network devices

Date :April 07, 2018

Publication: Article

On April 16, 2018, US-CERT issued an alert (TA18-106A) titled: "Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices".

It is directed at companies and organizations, and warns against silent attacks, which since 2015 target network devices (router, switch, firewall, IDS) accessible from the Internet. These attacks aim to install backdoors on these devices (for later use) and snoop on network traffic. US-CERT attributes these attacks to Russia. Naming Russia is a highly political act, which must probably be detached from the technical analysis. The USA has apparently decided since December 2016 to name Russia as one of its major cyber adversaries (see the "Grizzly Steppe" page on the US-CERT website).

On the next day, Guillaume Poupart (Director of ANSSI - the French National Agency for  IT Security) stated, during his speech about the publication of the ANSSI annual report, that France has also detected this kind of intrusion on network devices, but that France does not attribute them specifically to Russia (see for example this interview on Europe1 radio). The CERT-FR later issued recommendations on this topic in its News Bulletin.

 

From a technical perspective, in addition to classical brute-force or social-engineering attacks to steal telnet and ssh passwords (which are very well known techniques), the TA18-106A describes 2 attack techniques:

  • SNMP v2 which allows attacker to remotely query a device and retrieve its configuration (including sometimes the administration passwords).
  • Cisco SMI (SMart Install) which is an intrinsically insecure service, installed by default on many Cisco switches. Since November 2016 an attack tool named SIET (Smart Install Exploitation Tool) is available on Internet to attack this service.
These two protocols (SNMP and SMI) have the interesting characteristic to support UDP, which can be used to perform attack with packets that use source spoofed addresses which might bypass firewall filtering mechanisms.

Note: The CERT-FR extends this list by also including UPnP and more generally administration interfaces. The TFTP service is also used during these attacks to retrieve a copy of the device firmware or install a malicious firmware on the device.

Once the device had been compromised, it has been seen alterations such as:

  • Modification of the device firmware to allow illegal access (backdoor).
  • Creation of GRE tunnels to redirect some network traffic to the attacker's infrastructures.

 

How to detect these attacks?

These attacks affect poorly protected devices (which use unsecure protocols, and are not managed through dedicated network interfaces, etc.) and probably "forgotten" (not monitored). Anyway, following theses alerts issued by national CERTs, it seems desirable that organizations conduct investigations to identify whether such poorly secured network devices exist within their perimeters, with a priority on devices exposed to Internet.

The following approach could be take into consideration:

  • Identify network equipment (by scanning networks, or based on inventories).
  • List the network services offered by the equipment. If telnet, SNMP (before V3) or Cisco SMI services are identified, then the device is in high danger and further investigation is required.
  • Check suspect devices (or more widely critical network devices) for abnormal changes on firmware or configuration. The presence of GRE tunnels must explicitly be verified.
  • Eventually search network logs for suspicious traffic to, and from, these devices.

The following notes, which are listed in the TA18-106A alert, also provide advice:

In addition to this investigation to spot compromised devices, this alert also recalls that it would be desirable to implement security procedures to ensure that network device firmware have not been illegally modified. We already identify this need for integrity control on network devices in 2015, in a short article of our Monthly Bulletin (about ROMMON rootkit) as well as in the VulnCoord-2015.026 message (about SYNful Knock attack).

 

Related events

In addition to this TA18-106A alert (issued on 16-Apr-2018), several related events worth be mentioned.

Prior to the US-CERT alert, Cisco issued several notes or alerts about Cisco SMI security issues:

On 06-Apr-2018, press articles announced that American "patriotic hackers" had attacked a large number of Cisco devices in Russia and Iran (see for example this article from Motherboard.vice.com). It is likely that these attacks used Cisco SMI's old vulnerabilities (for example, using the SIET tool we mentioned above) rather that the CVE-2018-0171 vulnerability as some source wrongly reported.

Because of these multiple related events, we issued the CERT-IST/AL-2018.004 Orange Alert on 10-Apr-2018.

 

Conclusion

These silent attacks against network devices can often go unnoticed and can persist for a long time before being discovered, if they do not cause any network disruption. Beyond these supposed Russian attacks, network devices are often found infected when investigating an APT attack within a company: when an attacker has succeeded in infiltrating a company, he seeks to compromise key elements of the infrastructure and if possible on less monitored systems. Network devices are then for him targets of choice.