It’s a sad state of Internet affairs when the US government must publish a US-CERT Alert about Russia targeting US entities through negligent network infrastructure misconfigurations.1 In Alert TA18-106A, US-CERT discloses that since 2015, the US government, in partnership with the UK, has been receiving data from numerous sources that “large numbers” of enterprise-class and SOHO (small office/home office)/residential routers and switches worldwide have been compromised, and that the threat actors are indeed from the Russian military. US-CERT alert was quick to point out that Russia “didn’t need to use zero-days or malware to exploit the devices.”
Too many organizations are worried about advanced persistent threat (APT) actors when the reality is, the majority of today’s attacks don’t require advanced tactics, techniques, or procedures to compromise a target.
In the case of misconfigured network infrastructure, the specific vulnerabilities exploited include:
- Use of legacy, unencrypted, remote administration protocols (specifically Telnet, HTTP and SNMP v1 or V2C.)
- Lack of system hardening—most egregiously, the continued use of vendor default credentials
- Devices that are no longer supported with software upgrades or patches to remediate vulnerabilities, otherwise known as end-of-life (EOL).
These vulnerabilities are rampant across Internet-connected systems worldwide. This is yet another example of how widespread the problem of mismanaged and vulnerable systems on the Internet really is. Telnet for example, a legacy protocol used for insecure (unencrypted) remote administration, happens to be the protocol of choice for remotely administering IoT devices. Subsequently, it is also the primary protocol exploited by attackers to build massive and destructive “thingbots,” or botnets composed of IoT devices.
F5 Labs has been profiling this activity over the past two years in our Hunt for IoT research series, which leads us to question how many of the SOHO/residential routers and switches US-CERT is referring to are actually IoT devices that make up thingbots. Has the extent of Russia’s spying in this case intentionally spread into people’s homes, perhaps assisting in Russia’s targeted propaganda and election tampering efforts in the US? Or are these routers and switches simply swept up in Russia’s global Internet scans for open Telnet? It’s likely a mix of both. These devices will be discovered in Russia’s scans by virtue of Telnet being open. And even if a particular router isn’t routing the Internet traffic of a target of interest, Russia would likely maintain persistent access in case of future value, as noted by the US-CERT in its alert. Many thingbots have been created by exploiting Telnet. As we profiled in our latest IoT Hunt report, these thingbots haven’t attacked yet, so we don’t know their purpose. However, it’s not a stretch to think that one or more is owned and operated by Russian state-sponsored cyber actors and are currently just being used to spy and collect data.
System hardening is another required step before deploying a system online that is far too often overlooked. We could cite many cases proving this point but let’s look at F5 Labs’ last two IoT hunt reports as evidence, simply because they include the top 50 most attacked admin credentials, most of which are vendor default credentials. This is the most direct evidence we’ve seen of the lack system hardening which always should include changing the vendor default credentials. In the first half of 2017, 96% of the top 50 most attacked admin credentials were vendor defaults. In the second half of 2017, the percentage of vendor default admin credentials in the top 50 attacked credential list did not change at all. These default admin credentials are on the top 50 most attacked list for a reason: because they work. The fact that attackers don’t have to change their methods proves this problem isn’t getting any better, and attackers continue to exploit systems with the same, easy tactics.
The EOL system issue is particularly concerning as this problem, just like in the remote administration and system hardening cases, is not unique to network infrastructure, either. It is rampant across endpoints (desktops and laptops) globally, and particularly in public infrastructure, industrial industries, manufacturing, shipping, and aviation production, all of which are prime targets for cyber-warfare attacks. Russia has been testing cyber-warfare tactics on Ukraine for years now. These types of blue-collar industries are often more focused on servicing their utility or producing their products than they are on implementing the latest “tech,” refreshing workstations every three years, or keeping up to date with monthly patches. They also find themselves with equipment that requires them to use old operating systems (OS) because that’s all the manufacturer offers. This problem has reared its head a lot in the past year through ransomware attacks like WannaCry and NotPetya, thanks to leaked exploits believed to have been created by the NSA (yes, every nation-state has offensive tactics) that target older Microsoft Windows operating systems, some of which are EOL. WannaCry, allegedly created by a nation-state (North Korea2) for offensive purposes, spread like a wildfire through EOL Windows systems. It was responsible for billions of dollars in damage when it first spread in 2017, however it’s still infecting businesses that are stuck in the position of not being able to patch because they have critical software programs or specialized equipment running on outdated, EOL operating systems. The NotPetya malware—which the CIA concluded was created by the Russian military3 with the intent of compromising targets of interest in Ukraine—ended up spreading across the globe, infecting thousands of companies and causing billions of dollars in damage. One company alone, shipping giant A.P. Moller-Maersk, estimates their losses could be up to $300 million.4
Before we get into the recommendations the US-CERT offered to combat this problem, we should remind ourselves of what’s at stake:
- Nation-state espionage. Foreign adversaries spying on civilians, businesses, and government agencies to use for their advantage.
- Intellectual property theft. China’s current competitive advantage over the U.S. is due to decades of cyber-attacks against U.S. businesses, followed by intellectual property theft. It’s not surprising that Russia would follow in China’s footsteps.
- Physical damage to critical infrastructure to be used in cyber-warfare. Cyber-space is the new battleground, and it terminates at physical infrastructure that has the ability to cause catastrophic damage to people’s lives.
- Billions of dollars in damage.
Outside of what the US-CERT warned about in its TA18-106A alert, the volume of breaches that happen on a regular basis around the world today are causing every online business to take an “assume breach” stance. So much data has been compromised that usernames and passwords should be treated as public information. Valid credentials harvested from data breaches give attackers one-to-many access to applications since many people reuse usernames and passwords, which attackers then stuff into otherwise secure applications. If applications require security Q&A (challenge questions) as their form of multi-factor authentication from new devices, attackers can answer them in an automated fashion, given how much personal information they’ve collected on global citizens from breaches. The point is, the same vulnerabilities, tactics, techniques, and procedures are leveraged far and wide by all categories of threat actors, and the damage caused must be looked at comprehensively because every vulnerable system on the Internet participates in exacerbating the global problem. Every breach brings us as Internet consumers closer together, but not in a good way. Now more than ever, our negligent Internet neighbors directly affect the confidentiality of our personal data and our business data, which includes customers and partners.
The US-CERT recommended the following four basic, 101-level security controls to address the misconfiguration errors outlined in this alert. It’s worth noting that these should apply to all systems touching the Internet, as has been true for decades, and for the most part, they don’t require any additional cost to implement.
- Don’t open insecure management ports to the entire Internet. If you have to use insecure protocols like Telnet, restrict access to a management network or put it behind a VPN.
- Don’t expose the management interface of any network device to the Internet.
- Instead of using insecure protocols like Telnet or legacy SNMP versions, opt for secure encrypted protocols like SSH.
- Harden all systems before deploying in production ensuring that vendor default passwords are always changed. Do not re-use passwords across multiple devices.
In addition to these core recommendations, the following tasks are also critically important:
- Set account lock-outs to prevent brute force attacks.
- Where possible, don’t use passwords. SSH keys are an easy way to get around the use of passwords when using SSH for administrative access to systems.
- Implement some form of multi-factor authentication (security Q&A is not adequate) that will prevent harvested credentials from another incident to breach your system.
- Implement compensating controls in front of systems that can’t be patched, upgraded, or decommissioned.
- Ensure that external IP scans of your network looking for exposed administration ports are a continual part of your vulnerability discovery process.
- Require, test, and validate that your vendors have implemented the same controls.
- Ensure you have the proper visibility you need to detect intrusions. This includes proper detective controls that are actively monitoring and alerting, and adequate logging in order to conduct incident response.
- Train your employees regularly on the threats that impact all businesses, all global netizens, and your business specifically.