According to a recent warning from the FBI, threat actors associated with the Russian government are exploiting a seven-year-old vulnerability in Cisco equipment, which was first discovered in 2018.
The vulnerability, known as CVE-2018-0171, affects the Smart Install (SMI) feature of Cisco’s Internetwork Operating System (IOS) and IOS XE. It occurs due to the improper validation of packet data and can be exploited by sending a specially-crafted Smart Install message to a vulnerable device on TCP port 4786.
If left unpatched, this vulnerability can allow an unauthenticated remote attacker to cause a denial of service (DoS) condition or execute remote code on the affected device.
Over the past year, the FBI has observed threat actors gathering configuration files for numerous end-of-life network devices that are susceptible to CVE-2018-0171. These devices are still in use by critical national infrastructure (CNI) operators in the US.
The FBI stated, “On some vulnerable devices, the actors modified configuration files to enable unauthorized access. They used this access to conduct reconnaissance in victim networks, showing interest in protocols and applications commonly associated with industrial control systems.”
Beserk Bear
US authorities believe that the group behind these intrusions is likely Beserk Bear, also known as Dragonfly, a cyber unit within Russia’s Federal Security Service, the FSB. Beserk Bear has a history of targeting networking devices, especially those that support legacy protocols. They have previously developed custom malware, such as SYNful Knock, specifically designed to exploit Cisco products.
Cisco Talos researchers Sara McBroom and Brandon White have noted that Beserk Bear, also referred to as Static Tundra, has been targeting Cisco products since at least 2015. They advise users to promptly patch the CVE-2018-0171 vulnerability to prevent exploitation.
McBroom and White emphasized, “Customers should apply the patch immediately due to active exploitation of the vulnerability. Devices that are no longer supported and cannot receive the patch should implement additional security measures outlined in the 2018 security advisory. Unpatched devices with Smart Install enabled will remain vulnerable to attacks unless action is taken.”
The researchers also highlighted that Beserk Bear’s activities are not limited to the US and North America. They have targeted organizations in the higher education, manufacturing, and telecommunications sectors across Asia, Africa, and Europe. Beserk Bear selects victims based on their strategic importance to Russian geopolitical and intelligence objectives.
McBroom and White concluded, “Static Tundra’s main goals are to gather sensitive device configuration information for future operations and establish persistent access to networks to support long-term espionage aligned with Russian interests. Given the widespread use of Cisco network infrastructure globally, the group focuses on exploiting these devices and potentially developing tools to interact with and persist on them.”
