Russian threat actors using old Cisco bug to target critical infrastructure orgs

A threat group linked to the Russian Federal Security Service’s (FSB) Center 16 unit has been compromising unpatched and end-of-life Cisco networking devices via an old vulnerability (CVE-2018-0171), the FBI and Cisco warned on Wednesday.

“Primary targets include organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government,” Cisco Talos researchers noted.

“In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems,” the FBI said.

Static Tundra’s attacks through the years

CVE-2018-0171 stems from improper validation of packet data. Attackers can trigger it by sending a specially crafted Smart Install message to a vulnerable device on TCP port 4786, allowing them to trigger a reload of the device and execute arbitrary code it.

The vulnerability can only be exploited if an unpatched device has the Smart Install client feature enabled. Soon after it was publicly disclosed and a proof-of-concept made public, vigilante hackers started using it against network devices in data centers in Russia and Iran.

“Static Tundra” – as the group has been dubbed – is a sophisticated threat actor that has been engaging in long-term espionage operations.

“Talos also assesses with moderate confidence that Static Tundra is associated with the historic use of ‘SYNful Knock,’ a malicious implant installed on compromised Cisco devices publicly reported in 2015,” the researchers noted.

The implant consisted of a modified Cisco IOS image that persists after a reboot of the tageted devices, and allowed the attackers to load a variety of functional modules from the internet and provided unrestricted access to the device. (It was effectively a persistent backdoor.)

“Static Tundra targets unpatched, and often end-of-life, network devices to establish access on primary targets and support secondary operations against related targets of interest. Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering. This is demonstrated by the group’s ability to maintain access in target environments for multiple years without being detected,” the researchers added.

“Talos assesses with moderate confidence that Static Tundra leverages bespoke tooling to automate the exploitation of CVE-2018-0171 and subsequent configuration exfiltration against a predefined set of target IP addresses, likely gathered using publicly available scan data from a service such as Shodan or Censys. The process is similar to those that have been reported publicly in red teaming blogs and similar publications.”

The group’s main goal is to capture network traffic that could be of value from an intelligence perspective.

What to do?

Static Tundra has been operational for over a decade, and is expected to continue targeting networking devices.

Cisco has updated the CVE-2018-0171 security advisory to say that they are “aware of continued exploitation activity of the vulnerability” and to advise customers to upgrade to a fixed software release as soon as possible.

Users whose devices are end-of-lfe and can’t implement the fixes can either disable the Smart Install feature with the no vstack command or decommission the devices.

Cisco’s researchers have also shared advice on how to identify suspicious activity that may be related to this campaign and the most recent indicators of compromise.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!