The Australian Signals Directorate’s Australian Cyber Security Centre has joined its Five Eyes and other European partners to warn of ongoing cyber activity targeting vulnerable network devices, with Russian state-sponsored cyber actors the culprit.
The joint cyber security advisory points the finger at Russian Federal Security Service Center 16 cyber actors, which have been exploiting poorly configured routers and other devices for at least 10 years.
The hackers are largely opportunistic and are mostly targeting critical infrastructure entities in the communications, defence industrial, energy, financial services, government (particularly organisations at the state and local level), and healthcare sectors.
“Today, Australia joined Five Eyes and European partners in releasing a technical advisory highlighting the ongoing exploitation of vulnerable and poorly configured networking devices,” Lieutenant General Michelle McGuinness – Australia’s national cyber security coordinator – said in a social media post.
“The advisory encourages device owners and network defenders to review router configurations, reduce exposed management services, strengthen authentication practices, and prioritise remediation of vulnerable internet-facing devices.”
The threat actors first send an SNMP request, looking to find devices responding with SNMP v1/v2. The hackers then try to gain access using common default settings, and then use object identifiers to command the router to copy and send its configuration file before extracting data, which is then sent to either a compromised FTP server or a virtual private server.
“While SNMP scanning is the primary method the actors use to discover and exploit poorly configured networking devices, they occasionally exploit common vulnerabilities and exposures (CVEs) in Cisco devices, Cisco’s Smart Install (SMI) functionality, and web portals to manage network devices,” the advisory said.
The hackers have exploited both CVE-2018-0171 and CVE-2008-4128 in the past.
The security agencies recommend that network defenders disable Cisco Smart Install on all devices, use SNMPv3 with “authPriv” configured to the most modern encryption standard supported by the device, use strong and unique passwords, monitor and restrict access to SNMP OIDs, restrict management protocols, and regularly update network device software and firmware images.
“Strong cyber security starts with strong cyber hygiene,” LTGEN McGuinness said.
“No country can afford to be complacent, and Australia continues to call on all states and cyber actors to act responsibly in cyberspace.”
You can read the full advisory here.
NATO condemnation
The joint advisory was released a day after the North Atlantic Council released its own “Statement of condemnation” regarding malicious Russian cyber activity.
“We strongly condemn Russia’s persistent malicious cyber activities, leveraging its cyber ecosystem to target Allies and NATO partners. These activities constitute a threat to allied security,” the council said in the first of six declarations.
“We stand in unity and solidarity with all allies affected by Russia’s malicious cyber activities targeting critical national infrastructure and government entities. In this context, we take note of the statements by the UK and the EU denouncing these activities and Russia’s links to cyber criminals, as well as the sanctions imposed on individuals and entities that aid and abet Russia’s malicious cyber activities.”
The council called on Russia to cease its malicious cyber activity and warned that it is further enhancing NATO’s cyber posture and will continue to support Ukraine in its fight against Russian cyber attacks.
“We stand ready to employ the full range of capabilities in order to deter, defend against and counter the full spectrum of cyber threats,” the council said.
“We are prepared to respond to these at a time and in a manner of our choosing, in accordance with international law.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.