U.S. and UK cybersecurity authorities have issued a warning of another campaign by Russian state-sponsored hackers to target network infrastructure. Targets of the alleged Russian attacks are infrastructure devices at all levels, including routers, switches, firewalls, network intrusion detection systems and other devices supporting network operations. Once they gain access, hackers masquerade as privileged users and are able to modify the devices so they can copy or redirect traffic to Russian infrastructure.
It appears the Russian intrusions into US/UK networks were relatively easy to accomplish, and fairly hard to detect. Why? Because many networks have weak security, legacy protocols and service ports intended for administration purposes.
Obviously, software updates and patches should be applied as soon as they’re available. Infrastructure equipment that can’t be updated should be replaced with equipment for which updates are available and which will be supported for a reasonable lifetime.
The US/UK cybersecurity agencies included a list of tips for potential attack targets, which means nearly any organization with a network:
- Don’t allow unencrypted management protocols, such as Telnet, enter your organization from the internet. If SSH, HTTPS or TLS encryption is not possible, use a VPN.
- Do not allow internet access to the management interface of any network device. You should allow access from inside the network only from a white-listed device.
- Disable unencrypted protocols such as Telnet or SNMP v1 or v2. Retire legacy devices that cannot be configured with SNMP v3.
- Immediately change default passwords and enforce a strong password policy.