A Russian state-sponsored cyber espionage group generally known as Static Tundra has been noticed actively exploiting a seven-year-old safety flaw in Cisco IOS and Cisco IOS XE software program as a way to determine persistent entry to focus on networks.
Cisco Talos, which disclosed particulars of the exercise, stated the assaults single out organizations in telecommunications, larger training and manufacturing sectors throughout North America, Asia, Africa and Europe. Potential victims are chosen based mostly on their “strategic curiosity” to Russia, it added, with latest efforts directed towards Ukraine and its allies following the onset of the Russo-Ukrainian conflict in 2022.
The vulnerability in query is CVE-2018-0171 (CVSS rating: 9.8), a essential flaw within the Good Set up characteristic of Cisco IOS Software program and Cisco IOS XE software program that might enable an unauthenticated, distant attacker to set off a denial-of-service (DoS) situation or execute arbitrary code.
It is value noting that the safety defect has additionally been probably weaponized by the China-aligned Salt Hurricane (aka Operator Panda) actors as a part of assaults concentrating on U.S. telecommunication suppliers in late 2024.
Static Tundra, per Talos, is assessed to be linked to the Federal Safety Service’s (FSB) Middle 16 unit and operational for over a decade, with a give attention to long-term intelligence gathering operations. It is believed to be a sub-cluster of one other group that is tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.
The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, stated it has noticed FSB cyber actors “exploiting Easy Community Administration Protocol (SNMP) and end-of-life networking units operating an unpatched vulnerability (CVE-2018-0171) in Cisco Good Set up (SMI) to broadly goal entities in the US and globally.”
In these assaults, the risk actors have been discovered amassing configuration information for hundreds of networking units related to U.S. entities throughout essential infrastructure sectors. The exercise can also be characterised by the attackers modifying configuration information on vulnerable units to facilitate unauthorized entry.
The foothold is then abused to conduct reconnaissance inside the sufferer networks, whereas concurrently deploying customized instruments like SYNful Knock, a router implant first reported by Mandiant in September 2015.
“SYNful Knock is a stealthy modification of the router’s firmware picture that can be utilized to take care of persistence inside a sufferer’s community,” the risk intelligence agency stated on the time. “It’s customizable and modular in nature and thus may be up to date as soon as implanted.”
One other noteworthy side of the assaults considerations the usage of SNMP to ship directions to obtain a textual content file from a distant server and append it to the present operating configuration in order to permit for added technique of entry to the community units. Protection evasion is achieved by modifying TACACS+ configuration on contaminated home equipment to intervene with distant logging capabilities.
“Static Tundra probably makes use of publicly-available scan knowledge from providers equivalent to Shodan or Censys to determine techniques of curiosity,” Talos researchers Sara McBroom and Brandon White stated. “One in all Static Tundra’s main actions on targets is to seize community site visitors that might be of worth from an intelligence perspective.”
That is completed by organising Generic Routing Encapsulation (GRE) tunnels that redirect site visitors of curiosity to attacker-controlled infrastructure. The adversary has additionally been noticed amassing and exfiltrating NetFlow knowledge on compromised techniques. The harvested knowledge is exfiltrated through outbound TFTP or FTP connections.
Static Tundra’s actions are primarily targeted on unpatched, and infrequently end-of-life, community units with the aim of building entry on main targets and facilitating secondary operations towards associated targets of curiosity. Upon gaining preliminary entry, the risk actors burrow deeper into the atmosphere and hack into extra community units for long-term entry and knowledge gathering.
To mitigate the danger posed by the risk, Cisco is advising prospects to use the patch for CVE-2018-0171 or disable Good Set up if patching is just not an possibility.
“The aim of this marketing campaign is to compromise and extract gadget configuration info en masse, which may later be leveraged as wanted based mostly on then-current strategic targets and pursuits of the Russian authorities,” Talos stated. “That is demonstrated by Static Tundra’s adaptation and shifts in operational focus as Russia’s priorities have modified over time.”
