Russian Agents Aim at Routers Employing Obsolete Protocols with Factory Settings Passwords
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Overview
- State-sponsored actors from Russia are focusing on routers with factory or weak credentials.
- This operation is linked to Russia’s FSB Centre 16.
- Predominantly, older versions of the SNMP protocol are the focus.
- Suggestions include upgrading to SNMP v3 and improving configuration practices.
- Key sectors susceptible to risks include telecommunications, energy, and governmental services.
Russian Cyber Threat: Essential Information
Tactics of FSB Centre 16
A coalition of 19 national cybersecurity organizations has issued a collective alert regarding Russian state-sponsored threat actors who are methodically scanning the Internet for exposed routers using factory default or weak credentials. This initiative is linked to a division within Russia’s Federal Security Service, known as FSB Centre 16.
Targeted Protocols and Flaws
FSB Centre 16 is concentrating on routers that operate on versions 1 and 2 of the Simple Network Management Protocol (SNMP), taking advantage of default or widely used community strings. These community strings serve as shared passwords, permitting devices to query routers and possibly modify settings. Unfortunately, SNMP v1 and v2 transmit community strings in an unencrypted form over networks.
Security Concerns
The exploitation of outdated protocols and factory default credentials enables attackers to duplicate configuration files via TFTP, an unauthenticated file transfer protocol. These configuration files often contain additional credentials, giving attackers straightforward access without the need to breach vulnerabilities.
Exploited Flaws
Occasionally, FSB Centre 16 exploits previously revealed vulnerabilities. The advisory references vulnerabilities such as CVE-2008-4128, a cross-site request forgery vulnerability dating back 18 years, and CVE-2018-0171, an issue in Cisco’s Smart Install that could result in a denial of service or execute arbitrary code on unpatched systems.
Recommended Security Protocols
Upgrade to SNMP v3
Cybersecurity agencies advise upgrading to SNMP v3, which encompasses authentication and encryption features, while disabling SNMP v1 and v2 wherever it can be done.
Configuration Practices
Organizations are encouraged to alter factory default community strings and limit SNMP v3 access to an out-of-band network secured by access control lists. Additional actions include disabling Cisco’s Smart Install feature, securely managing credentials, and blocking TFTP, SNMP, and Smart Install traffic at the network perimeter.
Ongoing Threat Monitoring
FSB Centre 16 has been actively scanning for susceptible routers for more than a decade. Security vendors recognize this group under different aliases, including Berserk Bear, Energetic Bear, Dragonfly, and Static Tundra. Vulnerable sectors encompass telecommunications, energy, financial services, healthcare, and governmental operations, with state and local governments being particularly at risk.
Conclusion
Russian operatives are aggressively targeting routers with outdated protocols and factory default credentials, mainly zeroing in on SNMP v1 and v2. Organizations are urged to upgrade to SNMP v3 and bolster their security configurations to counter these threats.
Reader questions
Frequently asked questions
Fast answers to the questions readers ask most about Russian Agents Aim at Routers Employing Obsolete Protocols with Factory Settings Passwords.
What is the primary protocol targeted by Russian operatives?
The primary protocol under assault is the Simple Network Management Protocol (SNMP) versions 1 and 2.
What security protocols are advised?
The suggested protocols include upgrading to SNMP v3, changing default community strings, and limiting access to secure networks.
Which sectors face the greatest risk?
The sectors at risk are telecommunications, energy, financial services, healthcare, and governmental operations.
For how long has FSB Centre 16 been scanning for vulnerable routers?
FSB Centre 16 has been scanning for susceptible routers for more than ten years.
Are there specific vulnerabilities highlighted in the advisory?
Yes, vulnerabilities such as CVE-2008-4128 and CVE-2018-0171 are specifically noted.
