In a recent advisory, the Federal Bureau of Investigation (FBI) and Cisco have raised alarms over a Russian state-sponsored cyber espionage group, identified as Static Tundra, exploiting a longstanding vulnerability in Cisco networking devices. This flaw, designated as CVE-2018-0171 with a critical CVSS score of 9.8, resides in the Smart Install (SMI) feature of Cisco’s IOS and IOS XE software. Despite patches being available since March 2018, numerous devices remain unpatched, leaving them susceptible to exploitation.
Background on CVE-2018-0171:
The vulnerability in question affects the Smart Install protocol, a feature designed to simplify the deployment of new Cisco devices. If exploited, it allows unauthenticated remote attackers to execute arbitrary code on the affected devices, potentially leading to full control over the network infrastructure. Given the critical nature of this flaw, Cisco released patches in 2018 and urged organizations to apply them promptly.
Recent Exploitation Activities:
Over the past year, the FBI has observed Static Tundra actively targeting unpatched Cisco devices across various critical infrastructure sectors in the United States. The attackers have been collecting configuration files from thousands of networking devices. In certain instances, they have modified these configurations to establish unauthorized access, thereby compromising the integrity and security of the affected networks.
Attribution to Russian FSB’s Center 16:
The FBI attributes these malicious activities to the Russian Federal Security Service’s (FSB) Center 16 unit. This group is known within the cybersecurity community by several aliases, including Berserk Bear, Blue Kraken, Castle, Crouching Yeti, Dragonfly, Ghost Blizzard, and Koala Team. Historically, this unit has been implicated in compromising networking devices globally, particularly those utilizing legacy unencrypted protocols such as SMI and SNMP versions 1 and 2. Notably, in 2015, they deployed custom malware known as ‘SYNful Knock’ to target specific Cisco devices.
Cisco’s Response and Recommendations:
In light of the ongoing exploitation, Cisco has updated its 2018 advisory to highlight the persistent threat posed by CVE-2018-0171. The company tracks the activities of Static Tundra, identifying it as a subgroup within the larger Energetic Bear cyber espionage group. Cisco’s Talos researchers describe Static Tundra as a group that leverages networking device vulnerabilities to gather configuration information and establish long-term access to targeted networks.
Once initial access is achieved, Static Tundra tends to pivot deeper into the target environment, compromising additional network devices and setting up channels for sustained information gathering. Active since at least 2015, this group has primarily targeted telecommunications, higher education, and manufacturing sectors, focusing on Ukraine and allied nations, aligning with Russia’s strategic interests.
Mitigation Measures:
Organizations are strongly advised to:
– Apply Patches: Ensure that all Cisco devices are updated with the patches released for CVE-2018-0171.
– Disable Unnecessary Features: If the Smart Install feature is not in use, disable it to prevent potential exploitation.
– Monitor Network Traffic: Implement continuous monitoring to detect any unauthorized access or unusual activities within the network.
– Review Configurations: Regularly audit device configurations to identify and rectify any unauthorized changes.
For a comprehensive list of recommendations and best practices, organizations should refer to Cisco Talos’s detailed blog post on this subject.
Conclusion:
The exploitation of a seven-year-old vulnerability underscores the critical importance of timely patch management and proactive network security measures. Organizations, especially those within critical infrastructure sectors, must remain vigilant against state-sponsored cyber threats and ensure that their systems are fortified against known vulnerabilities.
