FBI Warns of Russian Hackers Exploiting 7-Year-Old Cisco Flaw
The Federal Bureau of Investigation (FBI) has issued a public service announcement warning of a potential threat to critical infrastructure organizations, citing the exploitation of a 7-year-old vulnerability in Cisco devices. The hacking group linked to Russia's Federal Security Service (FSB), known as Berserk Bear or Blue Kraken, has been targeting networking devices using CVE-2018-0171 exploits to breach organizations worldwide.
The vulnerability, identified as CVE-2018-0171, is a critical flaw in the Smart Install feature of Cisco IOS and Cisco IOS XE software. Successful exploitation of this vulnerability can allow unauthenticated threat actors to remotely trigger a reload of unpatched devices, potentially resulting in a denial-of-service (DoS) condition or enabling the attackers to execute arbitrary code on the targeted device.
The FBI has detected the hacking group collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices, allowing them to conduct reconnaissance in the victim networks and identify protocols and applications commonly associated with industrial control systems.
The same hacking group has previously targeted the networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The threat extends beyond Russia's operations – other state-sponsored actors are likely conducting similar network device compromise campaigns, making comprehensive patching and security hardening critical for all organizations.
Cisco Talos, the company's cybersecurity division, has confirmed that the Russian threat group it tracks as Static Tundra has been aggressively exploiting CVE-2018-0171 in this campaign to compromise unpatched devices belonging to telecommunications, higher education, and manufacturing organizations across North America, Asia, Africa, and Europe.
The attackers were also observed using custom SNMP tooling that enables them to gain persistence on compromised devices and evade detection for years, as well as the SYNful Knock firmware implant, first spotted in 2015 by FireEye. This implies a sophisticated and sustained campaign by the hackers, highlighting the importance of staying vigilant and up-to-date with security measures.
Admins are urged to patch their Cisco devices against ongoing attacks as soon as possible to prevent potential breaches. It is essential for organizations to take immediate action to secure their networks and protect themselves against these sophisticated threats.
Awareness and Action Required
The FBI's warning serves as a wake-up call for organizations to reassess their security posture and ensure that all critical infrastructure devices are patched and up-to-date. The threat of state-sponsored hacking groups is ever-present, and comprehensive patching and security hardening are now more crucial than ever.