Well, it’s time for another Tech Tidbit from me and right on cue another alert from the National Cyber Awareness system run by the good people at the United States Computer Emergency Readiness Team (US-CERT) has come in that I felt really needed to be highlighted for all of you.
This alert was also propagated out through several other channels (MS-ISAC, NYS Cyber Awareness System, etc.) but the root of all those alerts is this original document from US-CERT. This time the headline reads:
Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices
This alert details warnings from various agencies in both the US and UK about worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors.
The alert goes on to discuss the tactics and methodologies seen being exploited, specifically focusing on several legacy management protocols with weak security controls (Telnet, HTTP, SNMP v1/v2, SMI, and TFTP)
There also is a recurring warning about the risk of weak administrator credentials making exposed devices an easy target.
The recommended remediation steps, which by now should sound very familiar to our readers, are detailed as:
- Do not use unencrypted management protocols on devices, particularly those whose management interface can be accessed from the Internet.
- Avoid allowing access to management interfaces from the Internet if at all possible. Restrict management access to limited, trusted internal networks only.
- Disable the use of legacy management protocols on network devices
- Remove default ID’s / passwords and use strong passwords on all devices
- Block outbound TFTP from the organization’s network
- Make sure all device firmware is kept current and always downloaded from trusted, verified sources.
While the largest risk is certainly to network devices that are on the “external” side of networks or the Internet side, if internal endpoint devices are compromised by other means, these exploits may also be run against internal network devices.
And while the focus of this alert is on network devices, the reality is that the general principles of these rules and recommendations apply equally well to Internet-facing server devices.
The full details on this most recent alert can be found here:
To request a review of your current network posture related to this alert and for remediation assistance (if required) please don’t hesitate to contact our office.