The US Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC) issued an alert over exploits in routers and other internet connected devices used in homes, small businesses and large organisations, which are said to be vulnerable to cyber attacks.
The hacking campaign includes breaking into routers and other network devices to carry out man-in-the-middle attacks to support cyber espionage, steal intellectual property and maintain persistent access in victim networks for use in additional attacks.
A technical alert by the NCSC – the cyber arm of GCHQ – warns that systems including Generic Routing Encapsulation (GRE) enabled Devices, Cisco Smart Install (SMI) enabled devices and those using Simple Network Management Protocol (SNMP) are all vulnerable to exploits.
Millions of these devices around the world are said to have been compromised, with inherently poor security and poor default passwords exploited by the attackers.
The advisory includes details of how to secure Telnet, SNMP, TFTP and SMI, and Cisco has published a set of best practices to ‘harden devices against cyber attacks targeting network infrastructure’.
“Cisco security teams have been actively informing customers about the necessary steps to secure Smart Install and the other protocols addressed in the joint alert through security advisories, blogs, and direct communications,” Cisco said in a blog post.
Responding to the specific mentions of Smart Install in the alert, Cisco states that the main recommendation for users who don’t need it is to ‘disable the feature using the no vstack command once setup is complete’.
But in the case of customers who need it, Cisco states they can use access control lists to block incoming traffic on TCP port 4786.
“Additionally, patches for known security vulnerabilities should be applied as part of standard network security management,” Cisco adds.
However, with home users and small businesses said to be vulnerable to these exploits, there are concerns that these individuals and organisations will remain vulnerable to attacks because the users don’t understand how to secure the devices.
Even the NCSC advisory says the very reason attackers select these devices is they’re known to be vulnerable and are often not patched.
“Network devices are often easy targets. Once installed, many network devices are not maintained at the same security level as other general-purpose desktops and servers,” said the advisory.
It added how few of these devices run antivirus or security tools and that “manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance”.
The report urges manufacturers not to design products to support legacy or unencrypted protocols and to design the devices so that users are required to change the default passwords before using the device.
Most attacks against routers leverage vulnerabilities or mis-configurations of the firmware. Routers are crucial pieces of hardware that act as gateways between private networks from the public internet, and yet security patches and firmware updates are rarely issued by vendors or deployed by end users due to the complexity of the operation.
Those who believe their device has been compromised by tools and techniques discussed in the advisory are urged to report it to law enforcement agencies.
US and UK authorities haven’t gone into depth on how they’ve attributed the attacks to the Kremlin, but stated they have “high confidence that Russian state-sponsored cyber actors were behind this malicious cyber activity that aimed to exploit network infrastructure devices”.
The Russian Embassy to the UK has dismissed the allegations of a state-backed cyberattack against the UK or its allies.
“We consider these accusations and speculations as striking examples of a reckless, provocative and unfounded policy against Russia,” said an Embassy statement.
The joint US-UK alert comes days after Home Secretary Amber Rudd warned that the UK had been hit by 49 cyberattacks from Russian groups in the last six months. Jeremy Fleming, the director of UK intelligence agency GCHQ, also recently called out Russia’s actions in cyberspace.
“They’re not playing to the same rules, they’re blurring the boundaries between criminal and state activity,” he said