US-CERT posted a new Tactical Alert (TA18-106A) based on a combined intelligence effort between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). It provided an alert on network devices being exploited by Russian state-sponsored actors. Network device targets include but are not limited to government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The TA outlines details on the tactics, techniques, and procedures (TTPs) used by Russian state actors. The purpose of the TA was to inform the public about the Russian government campaign.
While this report notes that the U.S. Government has been tracking malicious activity on network devices carried out by actors backed by the Russian Government, the information in this tactical alert was derived from private and public sector sources. It is hard to distinguish where the sources were disseminated from as the cited material was only from past alerts and vendor advisories. With that said, the report does provide some general information on how to mitigate against various attack vectors. The report also highlights a generic “cyber kill-chain” that the malicious actors might be using. Security practitioners are already aware of the Information in the tactical alert. Even though there is no evidence publicly disclosed of the “attacks” being part of a larger campaign, the increased aggression of the west with regards to the recent attacks on Syria has most likely raised the warning level of a potential cyber attack by US-CERT. Most of the recommendations on this report have been published by Cisco Talos Intelligence and Cisco PSIRT (product security incident response team) referencing general network devices that use Cisco Smart Install (SMI).
Russian malicious actors like to find the weakest and easiest link in order to begin their exploitation, which offers the threat actors an “easy” way in, with minimum resources and effort exhausted. Some of the attack surface the malicious actors might target are legacy protocols, bad security practices, and poorly defended network devices. I will highlight TA18-106A below.
CYBER KILLCHAIN OUTLINED BY TA18-106A
Stage 1: Reconnaissance
Stage 2: Weaponization
Stage 3: Delivery
Stage 4: Exploitation
Stage 5: Installation
Stage 6: Command and Control
Traffic to Analyze
The report recommends inspecting the following traffic: Telnet, SNMP, TFTP, SMI, SIET, and GRE tunneling.
- Telnet is a legacy unencrypted protocol that should be disabled. If it is required for legacy reasons, inspect port 23 as suspicious commands strings may be visible across the network.
- Review port 161/162 for SNMP packets. If SNMP is enabled, make sure the traffic is between trusted devices.
- Verify that TFTP traffic is not going outbound to an unknown external network.
- SMI is a management interface protocol used by Cisco routers to be configured without interaction and with no interaction from an administrator.
- Review traffic logs on port 4786 when analyzing SMI.
- GRE Tunneling enabled devices should also be inspected on port 47.
Smart Install Exploitation Tool (SIET): A exploitation tool built in python that leverages Cisco’s Smart Install on network devices by generating tcp packets with specific payloads and trivial file transfer protocol (TFTP) server emulation.
- Syntax Example:
a. sudo python siet.py -h
b. sudo python siet.py -g 192.168.0.1
c. sudo python siet.py -c 192.168.0.1
- Syntax Example:
Generic Routing Encapsulation (GRE): “A tunneling protocol developed by Cisco that encapsulates a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork” source
Mitigation techniques and recommendations
- Do not use unencrypted protocols
- Do not allow Internet access for management devices
- Disable legacy unencrypted protocols
- Change default passwords
Generic Mitigation for SMI:
- Disable SMI
- If SMI cannot be disabled, do the following
- Setup a strict ACL
- Monitor traffic logs in port 4786
- Do not design products to use unencrypted protocols
- Do not design products with unauthenticated services
a. Require customers to change default passwords
b. Integrate with YARA rules
Security Vendor Recommendations:
- Produce and publish YARA rules when malware are discovered on network devices
a. YARA is a security-industry standard that uses a rule based approach to be able alert on malware families
- Do not field equipment to customers with unencrypted protocols and unauthenticated services
- Disable unencrypted protocols and unauthenticated services
- Plan to upgrade legacy field equipment
- Apply security updates and firmware updates to field equipment
Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the TTPs and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which includes the configuration files of networked devices.