A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks.
Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their “strategic interest” to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022.
The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code.
It’s worth noting that the security defect has also been likely weaponized by the China-aligned Salt Typhoon (aka Operator Panda) actors as part of attacks targeting U.S. telecommunication providers in late 2024.
Static Tundra, per Talos, is assessed to be linked to the Federal Security Service’s (FSB) Center 16 unit and operational for over a decade, with a focus on long-term intelligence gathering operations. It’s believed to be a sub-cluster of another group that’s tracked as Berserk Bear, Crouching Yeti, Dragonfly, Energetic Bear, and Havex.
The U.S. Federal Bureau of Investigation (FBI), in a concurrent advisory, said it has observed FSB cyber actors “exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
In these attacks, the threat actors have been found collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. The activity is also characterized by the attackers modifying configuration files on susceptible devices to facilitate unauthorized access.
The foothold is then abused to conduct reconnaissance within the victim networks, while simultaneously deploying custom tools like SYNful Knock, a router implant first reported by Mandiant in September 2015.
“SYNful Knock is a stealthy modification of the router’s firmware image that can be used to maintain persistence within a victim’s network,” the threat intelligence firm said at the time. “It is customizable and modular in nature and thus can be updated once implanted.”
Another noteworthy aspect of the attacks concerns the use of SNMP to send instructions to download a text file from a remote server and append it to the current running configuration so as to allow for additional means of access to the network devices. Defense evasion is achieved…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
