The FBI and Cisco have issued urgent warnings about Russian hackers exploiting a seven-year-old vulnerability in Cisco Smart Install, impacting outdated routers and switches globally.
A significant number of legacy Cisco devices, which no longer receive security updates, are currently being targeted as part of a sophisticated cyber espionage campaign, as reported by the FBI and Cisco Talos.
The Russian state-sponsored threat group, known variously as Static Tundra, Dragonfly, Energetic Bear, and Berserk Bear, is leveraging the unpatched vulnerability, CVE-2018-0171. This flaw, related to Cisco’s Smart Install feature, enables attackers to execute arbitrary code or reboot devices. Although Cisco issued a patch in 2018, many systems remain vulnerable due to lack of updates or because they have reached end-of-life status and are no longer supported. These devices are prevalent in sectors like telecommunications, manufacturing, and academia, making them attractive targets for Russian intelligence operations.
Back in April 2018, incidents were reported where attackers exploited CVE-2018-0171 to compromise Cisco switches in data centers in Iran and Russia, hijacking devices and altering their IOS images to display an ASCII representation of the U.S. flag alongside a political message.
Static Tundra is associated with the Federal Security Service (FSB) of Russia and has been operational for over ten years. Researchers reveal that the group has established automation tools to scan the internet, utilizing services like Shodan and Censys to locate targets still utilizing the Smart Install feature.
When they successfully breach a device, they extract configuration data, which often includes administrative credentials and network infrastructure details, giving them a platform for more extensive intrusions. Reports indicate that the FBI has detected the exfiltration of configuration data from thousands of U.S. devices across critical infrastructure sectors. In some instances, these adversaries modified device settings to maintain access, particularly focusing on systems crucial for industrial operations.
Static Tundra has a track record of deploying SYNful Knock, a malicious implant for Cisco routers documented since 2015. This exploit remains active even after reboots, allowing continued remote access through specially crafted packets. The group also exploits insecure SNMP community strings, including default ones like “public,” to gather additional information or issue commands on targeted devices.
Cisco Talos researchers characterize the group’s operations as “highly sophisticated,” noting that compromised devices can languish under attacker control for years. They caution that Russia is not the only nation conducting such operations, suggesting that any organization employing outdated or unpatched networking equipment is potentially at risk from various state-sponsored adversaries.
Expert Comment
In response to the FBI’s alert, security experts emphasize the critical importance of maintaining an up-to-date inventory of assets to understand vulnerabilities and ensure ongoing patch management. Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, remarked that while certain sectors may experience production delays in patching cycles, the widespread exploitation of a vulnerability that is seven years old is concerning.
PATCH, PATCH, PATCH
Both the FBI and Cisco strongly recommend that organizations immediately patch devices running Smart Install or disable the feature if patching is not feasible. As for unsupported hardware, Cisco advocates for planning replacements given that these devices will not receive any further security updates. Cybersecurity professionals are advised to watch for unusual configuration changes, strange SNMP traffic, and unexplained TFTP activity, which are common indicators of this active campaign.
The FBI encourages anyone who suspects their systems may have been compromised to report their findings through the Internet Crime Complaint Center, underscoring the need for vigilance in cybersecurity.
