Russian hacker warning: How to protect yourself from network attacks

April 18, 2018

Businesses and governments have been urged to keep their network security up to date following a warning from U.S. and U.K. authorities on the risk of cyber attack from hackers backed by Russia.

The U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) issued an alert over exploits in routers and other internet connected devices used in homes, small businesses, and large organizations, which are said to be vulnerable to cyber attacks.

The hacking campaign includes breaking into routers and other network devices to carry out man-in-the-middle attacks to support cyber espionage, steal intellectual property, and maintain persistent access in victim networks for use in additional attacks.

A technical alert by the NCSC—the cyber arm of GCHQ—warns that systems including Generic Routing Encapsulation (GRE) enabled Devices, Cisco Smart Install (SMI) enabled devices, and those using Simple Network Management Protocol (SNMP) are all vulnerable to exploits.

Millions of these devices around the world are said to have been compromised, with inherently poor security and poor default passwords exploited by the attackers.

The advisory includes details of how to secure Telnet, SNMP, TFTP, and SMI, and Cisco has published a set of best practices to ‘harden devices against cyberattacks targeting network infrastructure’.

Responding to the specific mentions of Smart Install in the alert, Cisco states that the main recommendation for users who don’t need it is to ‘disable the feature using the no vstack command once setup is complete’.

But in the case of customers who need it, Cisco states they can use access control lists to block incoming traffic on TCP port 4786.

“Additionally, patches for known security vulnerabilities should be applied as part of standard network security management,” Cisco adds.

However, with home users and small businesses said to be vulnerable to these exploits, there are concerns that these individuals and organizations will remain vulnerable to attacks because the users don’t understand how to secure the devices.

Even the NCSC advisory says the very reason attackers select these devices is they’re known to be vulnerable and are often not patched.

It added how few of these devices run antivirus or security tools and that “manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance”.

The report urges manufacturers not to design products to support legacy or unencrypted protocols and to design the devices so that users are required to change the default passwords before using the device.

Those who believe their device has been compromised by tools and techniques discussed in the advisory are urged to report it to law enforcement agencies.

ZDNet has the full story