Article Details

FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure. Snarfing up config files for 'thousands' of devices…just for giggles, we're sure. The FBI and security researchers today warned that Russian government spies exploited a seven-year-old bug in end-of-life Cisco networking devices to snoop around in American critical infrastructure networks and collect information on industrial systems. "In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors," the federal cops said. "On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices." Both the FBI and Cisco Talos, in separate security alerts, attributed the network intrusions to the Russian Federal Security Service's (FSB) Center 16, aka Static Tundra, Berserk Bear, and Dragonfly. This particular cyberspy crew has been active for over a decade, targeting outdated networking gear that accepts legacy, unencrypted protocols like Cisco Smart Install (SMI) and Simple Network Management Protocol (SNMP). They've also deployed custom malware for some Cisco devices, such as 2015's SYNful Knock router implant. The latest round of intrusions exploits SNMP in end-of-life gear that some users never got around to patching. There's a super-old critical bug in the Cisco Smart Install feature of Cisco IOS and IOS XE software, tracked as CVE-2018-0171, which the networking giant fixed in March 2018. In a statement emailed to The Register, a Cisco spokesperson said the company is aware of ongoing exploitation targeting this flaw. "We strongly urge customers to immediately upgrade to fixed software versions as outlined in the security advisory and follow our published security best practices," the spokesperson said, directing customers to the FBI's announcement and Cisco Talos blog for additional details. The ongoing campaign targets telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe, "with victims selected based on their strategic interest to the Russian government," according to Talos researchers Sara McBroom and Brandon White. "We assess that the purpose of this campaign is to compromise and extract device configuration information en masse, which can later be leveraged as needed based on then-current strategic goals and interests of the Russian government," McBroom and White wrote. And while both security alerts focus on the FSB's latest round of network intrusions, "many other state-sponsored actors also covet the access these devices afford," the Talos team warned. "Organizations should be aware that other advanced persistent threats (APTs) are likely prioritizing carrying out similar operations as well."