After a summer of high-profile attacks and disclosures centered around enterprise network infrastructure, the Department of Homeland Security on Tuesday put out an alert explaining some of the tactics used by advanced attackers, and urged special caution in maintaining supply chain integrity.
The warning to network operators, in particular aimed at those managing Cisco gear, comes on the heels of the ShadowBrokers dump of Equation Group exploits, previously unreported attacks in June against ASA, and last September’s SYNful Knock attacks.
The general theme of the alert, however, is a head’s up that networking gear such as routers and firewalls can no longer be set-and-forget equipment since this is the mentality advanced attackers are counting on and exploiting.
“Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished,” the alert says.
Networking gear is targeted because it’s often a soft spot that can be used to quietly pivot about, launch new attacks and maintain a presence on the device.
“Once on the device, they can remain there undetected for long periods,” the alert says. “After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can re-attack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.”
DHS also warned network managers to be vigilant about supply chain channels, including secondary, or “grey” markets. The concern is that products sold through secondary markets aren’t closely vetted and are more likely to be breached.
“Breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment,” the alert says. “In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.”
The alert warns too that attackers aren’t necessarily coming armed with zero-day exploits for unreported vulnerabilities. In the case of SYNful Knock, for example, attackers were able to change operating system images on routers, allowing for long-term persistence on a network just by using a crafted TCP SYN packet to establish a backdoor between the compromised router and the attacker’s server.
Weak or default credentials are generally to blame for the initial infection, and sub-par configuration of the devices allow attackers to re-image the router.
Starting in June, attacks against Cisco ASA firewall and VPN appliances were reported to the National Cybersecurity and Communications Integration Center. ASA appliances were targeted and modified, and traffic redirected to attacker-controlled sites where users were tricked into giving up their credentials.
“It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices,” the alert says. “The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration.”
Two months later, the ShadowBrokers dump of alleged NSA exploits against Cisco, Juniper, WatchGuard, Fortinet and TOPSEC gear surfaced online, prompting the affected vendors to respond with patches and advice for network managers. Cisco ASA was a favorite target of the Equation Group, aka NSA, which apparently had exploits for a ASA software dating back to 2011. One ASA SNMP zero-day was in the data dump and promptly patched by Cisco, but the availability of the exploits, DHS cautions, could make these boxes targets for years to come.
The DHS alert offers a bevy of mitigation advice, which includes network segregation, air-gapping of sensitive machines, limiting machine-to-machine communication, improved secure configurations for network devices and secure access to devices that includes multifactor authentication.