Threat actors linked to the Russian government are falling back on a seven-year-old vulnerability in Cisco equipment that was first uncovered in 2018, according to a new warning from the FBI.
The flaw in question, tracked as CVE-2018-0171, exists in the Smart Install (SMI) feature of Cisco’s Internetwork Operating System (IOS) and IOS XE. It arises through the improper validation of packet data and is exploited by sending a specially-crafted Smart Install message to a vulnerable device on TCP port 4786.
If left unpatched, enables an unauthenticated, remote attacker to achieve a denial of service (DoS) condition, or to conduct remote code execution (RCE).
In the past year, the feds said they had detected threat actors collecting configuration files for thousands of end-of-life network devices vulnerable to CVE-2018-0171, which it said are still in use at multiple critical national infrastructure (CNI) operators in the US.
“On some vulnerable devices, the actors modified configuration files to enable unauthorised access to those devices,” said the FBI in a statement.
“The actors used the unauthorised access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems.”
Beserk Bear
The US authorities said the unit conducting the current spate of intrusions was likely Beserk Bear, aka Dragonfly, a cyber unit of Russia’s Federal Security Service, the FSB, which is known to have targeted networking devices – particularly those that accept legacy protocols, and had previously worked on custom malwares that specifically targeted Cisco products, notably a strain referred to as SYNful Knock.
Cisco Talos researchers Sara McBroom and Brandon White said that Cisco had observed Beserk Bear – Static Tundra in its parlance – acting against Cisco products since at least 2015, and urged users to patch against CVE-2018-0171 as a matter of urgency.
“Customers are strongly urged to apply the patch immediately given active and ongoing exploitation of the vulnerability…. Devices that are beyond end of life and cannot support the patch require additional security precautions as detailed in the 2018 security advisory. Unpatched devices with Smart Install enabled will continue to be vulnerable to these and other attacks unless and until customers take action,” they said.
McBroom and White also pointed out that the threat actor’s targeting extends beyond the US and North America, with primary targets including organisations in the higher education, manufacturing and telecoms sectors in Asia, Africa and Europe. Beserk Bear’s victims appear to be selected based on their strategic value to the Russian government’s geopolitical and intelligence goals, they added.
“We assess that Static Tundra’s two primary operational objectives are, one, compromising network devices to gather sensitive device configuration information that can be leveraged to support future operations, and two, establishing persistent access to network environments to support long-term espionage in alignment with Russian strategic interests.
“Because of the large global presence of Cisco network infrastructure and the potential access it affords, the group focuses heavily on the exploitation of these devices and possibly also the development of tools to interact with and persist on these devices,” warned McBroom and White.
