Post

Csa Improve Router Hygiene

Csa Improve Router Hygiene

Csa Improve Router Hygiene

The US Defense Department has published a critical advisory regarding the ongoing threats posed by the Russian Federal Security Service (FSB) Center 16 cyber actors. These actors are exploiting poorly configured and vulnerable networking devices worldwide, compromising multiple critical infrastructure sector networks. 🚨

This joint Cybersecurity Advisory (CSA) builds on the FBI’s previous announcements about Russian government cyber activities, providing additional tactics, techniques, and procedures (TTPs) to help defenders understand and counter these threats. The sectors most at risk include:

  • Communications
  • Defense Industrial Base
  • Energy
  • Financial Services
  • Government Services and Facilities
  • Healthcare and Public Health

Key Findings

The FSB Center 16 cyber actors primarily use scanning techniques to identify poorly configured networking devices, particularly routers. They scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication. These scans often involve:

  • SNMP Set-Requests from a spoofed IP address
  • Copying configurations to files like “config.bkp” or “output.txt”
  • Transferring these files to actor-controlled servers via Trivial File Transfer Protocol (TFTP)

While SNMP scanning is the main method of discovery, these actors also exploit common vulnerabilities and exposures (CVEs) in Cisco devices. Some notable CVEs include:

  • CVE-2018-0171
  • CVE-2008-4128

Recommendations

To mitigate these risks, network defenders are highly encouraged to implement the following measures:

  • Disable Cisco Smart Install on all devices.
  • Use SNMPv3 with strong encryption instead of legacy protocols.
  • Ensure strong, unique passwords for local accounts on network devices.

By following these guidelines, organizations can better protect themselves against the threats posed by cyber actors. 🔒

For more detailed information, you can read the full advisory here.

This post is licensed under CC BY 4.0 by the author.