Earlier this year, we wrote about how Cisco Talos is seeing an increase in the rate of high-sophistication attacks on network infrastructure. We weren’t the only ones to speak about how these types of attacks are gaining momentum — many of our colleagues across the security industry and in various governments around the world were seeing the same: Multiple threat actors carrying out sustained campaigns, particularly against end-of-life network hardware and software.
That message is as true today as it was when we issued the Threat Advisory in April. We are continuing to see post-auth attacks against network infrastructure (“post-auth” meaning that the attackers had already gained legitimate credentials before carrying out the network attack). Though we can’t be 100% sure of the motivation behind these attacks, we know that the threat actors are looking to build increasing levels of access and visibility for themselves. Primarily, this is for espionage purposes, but other reasons include pre-positioning themselves inside a network to carry out future attacks.
Our goal is to continue to raise awareness and motivate stakeholders to take the necessary steps to update and maintain the integrity of their network infrastructure security. That is why Cisco is joining technology providers, security experts, and network operators to launch the Network Resilience Coalition, an alliance focused on providing a coordinated framework for improving network security that supports our global economic and national security.
What many of these attacks have in common is that threat actors have worked their way through systems to control logging, thus giving them a supreme level of authority and control across the entire network. Once these systems have been compromised, we have observed threat actors modifying the memory to do things such as reintroducing vulnerabilities that might have been patched or changing the configuration of the systems to an insecure state. These efforts are masked, preventing system administrators from seeing the activity, while the threat actors set up persistent tunnels into the network devices.
One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of “first steps” that someone who wants to understand (and control) your environment would take. Examples we have observed include threat actors performing a “show config,” “show interface,” “show route,” “show arp table” and a “show CDP neighbor.” All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.
This means it is vital for organizations to understand their environment to stay one step ahead. Because once the actor is in place, then it’s a race to see who understands the environment better.
If you are continuing to use out-of-date network infrastructure, or you are exploring what you need to do to shore up your network defenses, here are our recommendations on what to do:
- Bear in mind that these types of attacks don’t just involve your network. Typically, they involve credentials being stolen or abused in some way. Potentially, the first step could be a phishing attack, or stealing credentials, from credential sources. Therefore, complex passwords for your account are crucial, along with creating complex community strings if you use SNMP. Avoid anything which is default. In fact, if you have any default SNMP configurations, ensure they are removed.
- In addition, use multi-factor authentication. This is one of the best things you can do to prevent credential abuse. Even if someone steals credentials, they still can’t use them without someone authorizing login attempts.
- SNMP has been a faithful way of managing network architecture for a long time, but there are more modern alternatives. Certainly, anything before SNMPv3 is completely insecure, and you should not be using it. There’s NETCONF and RESTCONF available, which work over SSH and HTTPS and are much more secure. We recognize that this isn’t necessarily an easy step to take, and network teams are often overworked at the best of times, but it is crucial to pay attention to how your network is protected, in the wake of these sophisticated attacks.
- Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
- In addition, lock down your credential systems, and then look for those anomalous activities. For example, look for potential attacks against credential serving systems. Look for VPN tunnels or persistent connections that you don’t recognize, or you can’t identify why they are there.
- Similarly, the evidence of an attack will be in your system logs. It is crucial to check these as soon as possible, as the attackers are looking to take control of these logs. Specifically look for any attempts to turn off any authorization and accounting tools. If someone has been trying to turn off logging, or modifying the level of logging, that is a huge red flag.
- Check your network environment for unauthorized configuration changes or devices that have had their configuration state changed. Again, these are high-performing, high-availability, pieces of silicon, and therefore need to be watched in a specific way.
- If you do find something amiss, or if you think that you have been compromised, please reach out to your network vendor. If that is Cisco, you can contact Cisco TAC or PSIRT. We are here to help.
For more information, here is the threat advisory video Talos released in April, featuring Talos’ Director of Threat Intelligence and Interdiction, Matt Olney, and National Security Principal, JJ Cummings, which gives additional background into the types of attacks we have been observing:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels