[BreachExchange] Proactive cyber security: UK-US alert on mass targeting of network devices

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 4 14:45:41 EDT 2018


Proactive cyber security: what the UK-US alert on mass targeting of network
devices can teach us

Last week, the US and the UK warned that Russian cyber threat actors were
conducting a multi-year campaign to compromise network devices as a means
of infiltrating organisations in the two states and their allies. The
campaign reportedly targets a wide range of organisations, including
government bodies, critical national infrastructure companies,
telecommunication providers, and even personal users. The wide range of
targets suggests that most companies in the countries targeted, including
the UK, are at risk.

The potential impact for businesses using legacy versions of SNMP and other
unencrypted management protocols – exploited in this campaign – is
significant. Access to routers and switches would enable threat actors to
gain a foothold on corporate networks, and a privileged observation point
to monitor network traffic.

More than customer data and corporate information at risk

This access could be leveraged to steal sensitive information, including
personal data, with which to understand business operations. Threat actors
could also deploy malicious software, i.e. self-propagating disruptive
malware. Last June, the NotPetya ransomware-like worm, attributed to
Russia, showed that even large companies can be ground to a halt by a
similar piece of malicious code. The potential impact of the campaign,
coupled with heightened tensions between Russia and Western states, makes
it paramount that companies take steps to mitigate this threat.

This campaign is notable for its breadth, rather than its sophistication.
The threat actors do not employ malware but rely on weaknesses in common
protocols and service ports associated with network administration
activities. The attackers exploit weaknesses in legacy unencrypted network
management protocols to steal credentials, personal data and corporate

Companies’ use of unencrypted network devices, which are visible from the
open internet, has enabled attackers. As has become clear from the number
of devices infected, the use of unencrypted management protocols is also
common. This is mainly due to time and cost constraints, competing
priorities within companies, and a gap between those with technical IT
responsibilities and those making decisions on IT expenditure.

Proactive mitigation measures for better resilience

As resources are limited in any organisation, there is a need for a
risk-focused approach to managing IT infrastructure. This means translating
what threat intelligence tells us about real-life attacks into a
vulnerability discovery and remediation process. In this case, for
instance, knowledge of how Russian actors abused specific ports and
protocols should lead CISOs to consider drafting formal remediation plans
to upgrade legacy systems that support unencrypted network protocols (these
should be replaced with encrypted alternatives like SSH, HTTPS, TLS and
SNMP version 3).

Rather than relying solely on reactive mitigation measures, organisations
should take a proactive approach to securing their networks. SNMP internal
traffic can be reviewed and analysed, which is why maintaining a thorough
logging and monitoring process is paramount. Ports must be closed off and
only opened for specific time periods where there is a requirement to
connect to the server for maintenance by trusted third parties. Such
specific mitigating steps can go a long way in protecting an organisation’s

Mitigating against evolving threats

However, threats and their methods of delivery are ever evolving. Threat
actors are constantly upgrading their tactics and learning from others’
operations. Cybercriminals in particular are very agile in adopting nation
states’ tactics. Although we have yet to see Russia’s tactics replicated,
the relatively low level of skills required will likely render them
attractive to criminals, who already scan for exposed RDP servers to
deliver targeted ransomware. Moving to scanning devices with other types of
open ports would not be that different.

The potential for wider exploitation of exposed network devices means that
companies should prioritise securing them. Although the threat is
significant, cost-effective solutions can go a long way to mitigating it.
This joint US-UK alert covers one operation by Russian state-sponsored
threat actors; different threat actors, at different times, will employ
different tactics to achieve similar aims. The threat to European and US
critical national infrastructure is constantly evolving, so the first step
for a resilient organisation remains a nuanced understanding of shifting
threats and how they could affect your organisation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180504/1254660e/attachment.html>

More information about the BreachExchange mailing list