FBI and Cisco warn of hackers exploiting seven-year-old Cisco vulnerability
Take action: If you have Cisco network devices that are not patched since 2018, first - SHAME ON YOU. Make sure to isolate them from internet access and restrict them to trusted internal networks only until you can patch. Then either patch ASAP or the unpatched equipment. Or just wait for the attackers to find the devices and hack them.
Learn More
The FBI and Cisco Talos are warning about an ongoing campaign by a group Static Tundra.
The campaign exploits a critical vulnerability tracked as CVE-2018-0171 (CVSS score 9.8) that affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. It allows an unauthenticated, remote attacker to trigger a denial of service condition or execute arbitrary code on affected devices.
Cisco has released patches for this vulnerability in March 2018 but thousands of organizations continue to operate unpatched and often end-of-life network devices that are vulnerable to this flaw.
The FBI detected Static Tundra collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. The threat actors are very persistent and can maintain undetected access to compromised systems for multiple years.
The group's primary goal is to steal data and establish persistent access to systems. The group, likely uses publicly available scan data from services such as Shodan or Censys to select their targets. Once initial access is gained through the Smart Install vulnerability, the attackers issue commands to modify running configurations and enable local TFTP servers, allowing them to retrieve startup configurations that often contain credentials and SNMP community strings for further exploitation.
Users of Cisco devices which are unpatched since March 2018 should either patch them ASAP, or replace them. At minimum, these devices should be isolated from the internet and accessible only from trusted networks.
