TESTIMONIALS

“Received the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.”

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Cyber

NCSC advice on vulnerable routers

by Mark Rowe

With partners the UK official National Cyber Security Centre (NCSC) – a part of the Government monitoring agency GCHQ – has published an advisory on the methods of Russia’s Federal Security Service (FSB) Centre 16 cyber actors. The NCSC says they are exploiting vulnerable routers and opportunistically targeting networks belonging to critical national infrastructure (CNI) globally.

In more detail, Centre 16, also known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard and Static Tundra, has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords. Jonathon Ellison, NCSC Director of National Resilience, described the joint advisory as providing decisive, actionable directions from the global security community that network defenders should implement to protect against Russian Intelligence operations. He said: “The NCSC, alongside our international partners, have repeatedly exposed the advanced tools and coordinated campaigns of Russian cyber actors who persistently seek to exploit any vulnerability they encounter. I’d strongly encourage all organisations, especially those entrusted with UK critical networks, to adopt these recommended measures immediately, thereby reducing the risk of compromise.”

For the advisory in full visit the US CISA (Cybersecurity and Infrastructure Security Agency) website.

Comments

Graham Taylor CBE, Director Defence Strategy for Northern Europe at the platform OPSWAT, said: “Legacy Simple Network Management Protocol (SNMP) is often more prevalent in critical infrastructure environments because organisations operate long-lived OT and industrial equipment that may remain in service for 15–30 years, with some older network devices only supporting SNMPv1/v2c. Legacy SNMP versions rely on community strings for access control rather than the strong authentication and encryption mechanisms provided by SNMPv3. As highlighted by the NCSC, Russian threat actors scan the internet for devices using weak or default SNMP community strings and passwords to identify vulnerable routers.

“The NCSC advises critical infrastructure organisations to restrict access to management protocols through appropriate access controls. Beyond securing network management interfaces, organisations should ensure secure transfer of data both within and across OT to IT and air-gapped environments. Implementing secure file transfer technologies, together with file inspection and malware scanning, can help prevent malicious payloads from entering critical systems via trusted data exchanges.”

And Daniel dos Santos, Senior, Director, Head of Research at Forescout, said: “The new advisory is very relevant as we have been reporting increasing targeting of network infrastructure devices, such as routers, firewalls and VPN appliances for a few years. These devices accounted for 3pc of exploits we observed in 2022 but are now 19 per cent and they consistently appear as the riskiest device categories. What stands out as a distinctive technique in this advisory is the use of Simple Network Management Protocol (SNMP)scanning. Last year, we exposed industrial routers as honeypots to capture attacker behaviour and noticed that 97 per cent of interactions with the exposed devices were SNMP requests.

“Attackers are well aware of the weak points that can be exploited in these devices, therefore organizations need to ensure they follow the mitigation recommendations laid out in the advisory such as using newer versions with SNMP, employing strong authentication with unique passwords, restricting access to management protocols and using latest firmware versions to patch vulnerabilities. What the advisory does not detail, however, is that in order to apply these mitigations, organizations need to have a precise and continuously updated asset inventory. It’s not possible to patch a device or restrict access to it if you don’t first know that it is present on the network.”

Related News

  • Cyber

    Proactive defence a priority

    by Mark Rowe

    Devices at the network’s edge such as VPNs, gateways and border defensive technologies have become a top target for attackers, state sponsored…

  • Cyber

    FBI on cyber crimes

    by Mark Rowe

    Cyber-enabled crimes defrauded Americans of nearly $21 billion, according to the Internet Crime Complaint Center (IC3), part of the FBI, in an…

  • Cyber

    AI and online answers

    by Mark Rowe

    Kelly Gill, pictured, SVP and Chief Technology Officer at ASSA ABLOY Opening Solutions EMEIA, discusses the evolving threats posed by cyber criminals…