10 May Own the Router Own the Traffic – Australian firms targeted by Russian state hackers
How resilient is your network security? Following recent tensions between Russia and a number of NATO member countries, Russian state-sponsored cyber actors have begun targeting network infrastructure devices belonging to governments and organisations of countries such as the US, UK and Australia.
The U.K. and the U.S. have blamed Russian hackers for a campaign aimed at taking control of routers inside government, critical infrastructure, internet service providers and within small and home offices. The warning came in a joint announcement from British intelligence, the National Security Council (NSC), the DHS and the FBI.
Specifically, these attacks are targeting devices such as Wide Area Network (WAN) routers that tend to reside on the external or outside of firewalls.
But how? In order to infiltrate these devices, hackers are using compromised routers to conduct spoofing (i.e., man-in-the-middle) activity to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
So, if such major organisations are being proven to be vulnerable, this then raises the question ‘how can I ensure my small-scale business data is protected?’ To answer this question, let’s first take a look at some common network security vulnerabilities.
Network devices such as external routers are easy targets, so if not correctly secured and hardened, they can provide attackers with an excellent point at which they can access your data. Once installed, many network devices are not maintained at the same security level as other general-purpose desktops and servers. In addition to this, the following factors can also contribute to the vulnerability of network devices:
- Few network devices-especially SOHO and residential-class routers are subject to the same level of integrity-maintenance as devices located at head-office, these maintenance activities would include regular patching and software updates.
- Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
- Owners and operators of network devices do not change vendor default settings or security harden them for operations.
- ISPs do not replace equipment on a customer’s property when that equipment is no longer supported by the manufacturer or vendor.
- Owners and operators often overlook network devices when they investigate, examine for intruders, and restore general-purpose hosts after cyber intrusions.
So how can you protect your business?
Protecting your business from hackers and malicious attacks don’t need to be stressful or even costly. In order to protect your data and safeguard your networks, our team recommend some general mitigation techniques that can be employed to ensure your external devices such as Internet routers are correctly hardened and not an easy target.
- Do not allow unencrypted plaintext management protocols (e.g. Telnet) to enter an organization from the Internet. When encrypted protocols such as SSH, HTTPS, or TLS are not possible, management activities from outside the organization should be done through an encrypted Virtual Private Network (VPN) where both ends are mutually authenticated.
- Do not allow Internet access to the management interface of any network device. The best practice is to block Internet-sourced access to the device management interface and restrict device management to an internal trusted and whitelisted host or LAN. If access to the management interface cannot be restricted to an internal trusted network, restrict remote management access via encrypted VPN capability where both ends are mutually authenticated. Whitelist the network or host from which the VPN connection is allowed and deny all others.
- Disable legacy unencrypted protocols such as Telnet and SNMPv1 or v2c. Where possible, use modern encrypted protocols such as SSHv2 and SNMPv3. Harden the encrypted protocols based on current best security practice. Where possible, replace legacy devices that cannot be configured to use modern protocols.
- Immediately change default passwords and enforce a strong password policy. Do not reuse the same password across multiple devices. Where possible, avoid legacy password-based authentication, and implement two-factor authentication based on public-private keys.
As an initial step, the team at Cube Cyber can remotely scan your external network infrastructure to ensure a basic level of security is in place and insecure protocols and services are identified where in use. We will also recommend ways to secure and harden your external infrastructure to ensure your business assets are protected and your peace of mind restored.