- NSA, FBI, CISA and 15 Allied Agencies Warn Russia’s FSB Center 16 Exploiting Weak/Standard Information and Legacy Cisco Flaws to Compromise Critical Infrastructure Devices
- Advisory highlights CVE-2018-0171 (Smart Install DoS/RCE) and CVE-2008-412813 (CSRF in Cisco IOS 12.4) as examples of vulnerabilities that are still being exploited
- TTPs overlap Chinese groups, but attribution points to Russian actors such as Berserk Bear and Energetic Bear; full IoCs and countermeasures were published in the joint advisory
Russian state-sponsored threat actors are constantly targeting compromised and misconfigured network devices belonging to critical infrastructure providers around the world, a joint security advisory issued by the US National Security Agency (NSA) and more than a dozen other agencies has warned.
According to the guidance, hackers working for the Russian Federal Security Service (FSB) Center 16 are constantly scanning for routers and other Internet-connected devices that can be accessed with “ordinary or standard” login credentials.
Once found, these devices are instructed to copy device configuration files and later exfiltrate them via the Trivial File Transfer Protocol to servers under their control.
Berserk Bear and Salt Typhoon
In cases where standard or weak credentials don’t work, threat actors also try to exploit vulnerabilities. In the advisory, the agencies specifically cited two flaws in Cisco devices — CVE-2018-0171 and CVE-2008-412813. The former is an eight-year-old flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that allows an unauthorized remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.
The latter is an even older (18 years old) set of multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP management component of Cisco IOS 12.4 on the 871 Integrated Services Router that allow remote attackers to execute arbitrary commands.
Although many of these tactics, techniques and procedures (TTP) overlap with Chinese hackers Salt Typhoon, the agencies suggested they focus primarily on Russian hackers known as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard or Static Tundra.
The joint advisory is co-authored by the NSA, FBI and CISA, as well as 15 other agencies from Australia, the UK, Canada, New Zealand, Estonia, Finland, France and Italy.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



