FSB-linked hackers, part of the Russian cyber espionage group Static Tundra, exploit a Cisco vulnerability to access critical networks worldwide. This group targets sectors across North America, Europe, Africa, and Asia. They mainly focus on unpatched Cisco devices using Cisco IOS and Cisco IOS XE software.
Exploiting the Cisco Vulnerability CVE-2018-0171
The CVE-2018-0171 vulnerability affects Cisco’s Smart Install feature. It allows attackers to execute arbitrary code or cause denial-of-service conditions. Despite being seven years old, the flaw remains widely exploited. FSB-linked hackers are among those actively using it.
To reduce the risk, Cisco recommends applying patches for this vulnerability or disabling Smart Install entirely.
Targeting U.S. Critical Infrastructure
The FBI reported that the FSB hackers are exploiting this vulnerability to target U.S. critical infrastructure. The hackers collect configuration files and modify device settings. They also deploy tools like SYNful Knock, a router implant, to ensure persistent access.
Global Reach of the Cisco Vulnerability
These hackers also target telecommunications, higher education, and manufacturing sectors worldwide. By using services like Shodan and Censys, they find vulnerable systems. They then set up GRE tunnels and exfiltrate NetFlow data from compromised devices.
Recommendations and Mitigation Steps
Cisco urges customers to patch CVE-2018-0171 or disable Smart Install if patching is not feasible. The ongoing exploitation highlights the importance of keeping network devices up to date and secure.
Conclusion
The ongoing exploitation of the Cisco vulnerability by FSB hackers shows how vital it is to secure critical infrastructure. Keeping devices updated is essential to prevent cyber espionage.
