2018-04-20

Russian state-sponsored actor preparing network infrastructure devices for further cyber attacks

What is claimed to happen?


 USA and UK issued a joint technical alert accusing Russian state-sponsored actors of mounting a malicious manipulation and cracking the Internet communications devices. The actor's target government institutions, private sector companies, and Internet providers. The operation has been monitored for months this far by FBI, US Department of Homeland Security and UK NCSC. The mission of this GRIZZLY STEP operation seems to be to prepare the network devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) servicing the target organisations to be a man-in-the-middle attack. Once the front yard network device is compromised, it can capture all IP traffic going through and act as packet capturer. 

How the action seems to take place?


  1. Reconnaissance: Cyber actors scan the possible vulnerable protocols as Telnet, HTTP, SNMP, SMI. 
  2. Weaponization: Actors trigger the device to send them their configuration file. The configuration file contains information like password hash values and SNMP community strings. These user credential are brute-force hacked to reveal the authorised Telnet or SSH login credentials.
  3. Exploitation: Armed with real credentials, the actors access the network devices and activate for example Cisco SMI service thus gaining full control of the device. Once logged in, the actors can: 
  • extract additional configuration information,
  • export the OS image file to an externally located cyber actor-controlled FTP server,
  • modify device configurations,
  • create Generic Routing Encapsulation (GRE) tunnels, or
  • mirror or redirect network traffic through other network infrastructure they control.


What to do?


The following general advice may apply:
  • All network devices should be treated as any other server or PC in the network, harden them by removing unnecessary processes, update them regularly, prefer out-of-band management over in-band-management, install IDS detectors to monitor management traffic.
  • For more detailed countermeasures visit the reference 2.

References:


  1. https://www.theguardian.com/technology/2018/apr/16/us-and-uk-blame-russia-for-malicious-cyber-offensive
  2. https://www.us-cert.gov/ncas/alerts/TA18-106A
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)