The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on nation-state sponsored exploitation of router infrastructure.
The “UK and US issue warning about APT28 actors exploiting poorly maintained Cisco routers” alert called out SNMP public exposure and one vulnerability in particular – CVE-2017-6742 which relates to a long known “remote code execution” opportunity on certain Cisco routers. Bad actors who find this vulnerability available to them can use it to execute any piece of code they choose. You can read more details here.
This alert is a timely reminder for all with unpatched equipment to think broadly!
Don’t just consider your computer when patching – remember any device in your network (including your router) that connects to the Internet should be checked with a view to patching if a patch is available. If you fail to do this you are leaving yourself and your network’s users potentially vulnerable.
In this case good advice is available from Cisco themselves, who have even provided a software checker to see if your version of software is impacted on the link above.
This reporting reminds us that just because a CVE is old, it does not mean attackers will not try to exploit it if they can find it present on a system (be they nation state, criminal or both). In short – vulnerable devices remain so until the owner/operator changes the situation. Vulnerabilities simply do not ‘age off’, rather they just add to the attackers’ available arsenal if left unaddressed.
Whilst we do not scan the Internet for this specific vulnerability at present – our dashboard does give a feel for how many exposed SNMP devices are out there.
Plus we are also able to see the distribution of Cisco devices (not just for SNMP exposure) are out there.
We share IP level data (filtered by your network/constituency) on the above in our Open SNMP and Device Identification reports.
You can also view the list of CVEs that we see being systematically exploited on our dashboard as well as lists of compromised device types that are spreading attacks.
We encourage you to follow the UK NCSC’s clear heightened threat guidance published shortly before Russia’s invasion of Ukraine last year. The guidance includes suggested actions to ensure basic cyber hygiene, including a recommendation to “check your Internet footprint” by performing “an external vulnerability scan of your whole Internet footprint and check that everything you need to patch is patched.” This is all sound advice and we would endorse it as good practice.
Also – remember that in addition to providing free country-level data to the National CSIRTs of 175 countries globally, Shadowserver also provides more than 7,000 subscribers with free daily threat reports directly. These can help network owners identify potential vulnerabilities in their network as a part of our continuing mission to raise the bar of baseline cyber security globally.
If you own a network and would like to receive Shadowserver’s free daily network threat reports, you can subscribe here.
If you like what we do and want to join the growing Shadowserver Alliance – please feel free to explore the options here.
Making a sound base level of cyber security awareness available for free to ALL so those who need it most are not disadvantaged, benefits ALL who rely on the Internet. You may want to review those who demonstrate they understand this by funding our altruistic mission. We thank them all and ask you to too.