HACKED: Small to medium sized business and residential routers worldwide

Last week the United States Computer Emergency Response Team (US-CERT) issued a joint technical alert with the US Department of Homeland Security, the FBI and UK’s National Cyber Security Centre, detailing router attacks.

It said the Russian “Grizzly Steppe” government hackers had exploited legacy and weak protocols, and network service ports against a large number of enterprise, small to medium sized business and residential routers and switches worldwide since 2015.

The Australian federal government joined them later in the week blaming Russian state hackers for exploiting commercial networking equipment to target Australian organisations.

Grizzly Steppe scanned the current internet address space to locate network infrastructure that ran vulnerable clear-text services such as Telnet, HTTP, the simple network management protocol (SNMP) and Cisco Smart Install (SMI). By observing login banners presented by the devices, and fingerprinting the data returned by scanning, the hackers were able to identify the routers and switches, as well as the organisations they were installed at. Organisations that exposed SNMP to the internet also leaked vital details that allowed the hackers to map out networks and the devices connected to them.

The hackers were able to use default login credentials, and guess weak passwords; they were also able to use credentials already leaked on the internet, as many organisations permit passwords that can be derived from existing data breaches. Once logged in as a privileged administrator on the network devices, the Grizzly Steppe hackers were able to install modified software and operating system files on them, as well as firmware that enabled them to establish a persistent presence.

Cisco’s SMI was used to install the malicious code and to change configuration files, as it is an unauthenticated management protocol that is susceptible to network address spoofing. The hackers were able to take full control of network devices, establish a man-in-the-middle position and capture traffic flows and exfiltrate data from targets using Generic Routing Encapsulation (GRE) protocol tunnels.

Users are asked to immediately change defaults and weak passwords, and not to reuse them across multiple devices. Strong password policies should be enforced, and each device should have its unique set of login credentials. Users should not expose unencrypted management protocols to the internet, nor should they allow access to device management interfaces from the internet.

Manufacturers should ship devices with such protocols disabled by default and users should be presented with clear warnings of the risks of enabling them. Manufacturers should also force users to change passwords during device installation or implement public key infrastructure (PKI) credentials instead, US-CERT added.