For years, a Russian state-sponsored threat actor has been exploiting an old vulnerability in Cisco networking devices to collect configuration information, Cisco and the FBI warn.
Patches for the flaw, tracked as CVE-2018-0171 (CVSS score of 9.8) and impacting the Smart Install (SMI) feature of Cisco’s IOS and IOS XE products, were released in March 2018.Russian state-sponsored hackers tracked as Static Tundra continue to target Cisco devices affected by CVE-2018-0171.
On Wednesday, the FBI warned that hackers working for the Russian government have been exploiting discontinued devices unpatched against this bug in attacks targeting entities in the US and abroad.
“In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices,” the FBI says.
The agency attributes the attacks to the Russian Federal Security Service’s (FSB) Center 16 unit, which is tracked within the cybersecurity community as Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team.
“For over a decade, this unit has compromised networking devices globally, particularly devices accepting legacy unencrypted protocols like SMI and SNMP versions 1 and 2. This unit has also deployed custom tools to certain Cisco devices, such as the malware publicly identified as ‘SYNful Knock’ in 2015,” the FBI notes.
Cisco, which has updated its 2018 advisory to warn of the ongoing exploitation of CVE-2018-0171, tracks the activity as Static Tundra, attributing it to a sub-group within Energetic Bear.
According to Cisco’s Talos researchers, Static Tundra is a cyberespionage group that exploits networking devices to harvest configuration information and establish persistent access to targets of interest.
“Once they establish initial access to a network device, Static Tundra will pivot further into the target environment, compromising additional network devices and establishing channels for long-term persistence and information gathering,” Talos says.
Active since at least 2015, the APT has been targeting telecoms, higher education, and manufacturing entities, mainly in Ukraine and allied countries, in support of Russia’s goals.
Organizations are advised to apply the patches available for CVE-2018-0171, or to disable the SMI feature to prevent exploitation. Further recommendations can be found in Talos’s blog post.
Related: Norwegian Police Say Pro-Russian Hackers Were Likely Behind Suspected Sabotage at a Dam
Related: Hijacked Satellites and Orbiting Space Weapons: In the 21st Century, Space Is the New Battlefield
Related: US Offering $10 Million Reward for RedLine Malware Developer
Related: West Blames Russia for Satellite Hack Ahead of Ukraine Invasion
