Posted September 24, 2015
By Michael Perry and Val Vask
In the aftermath of Cisco’s announcement that several discontinued Integrated Service Routers (ISRs) have been compromised, Cyveillance recommends a thorough screening of networking infrastructure and policy. The impacted models — 1841, 2811, and 3825 — are what Cisco calls “branch routers.” These routers are specifically responsible for addressing the needs of small to medium-sized businesses (SMBs) and serve as gateways to the business owner’s network.
In response to this compromise, Cisco produced a series of articles on how to detect, mitigate, and harden their routers — which can be a time-consuming and expensive process. Further complicating matters, Cisco announced that hardware support for each of these devices will end in about a month. This means responsibility for oversight and management of branch routers will fall solely on SMB owners who don’t have the staffing or resources to prevent and mitigate future attacks.
The debate continues over whether the malicious actors that compromised the routers stole or social engineered their way to obtain valid credentials. One plausible theory suggests that the attackers compromised already-vulnerable routers containing default administrator passwords.
Similarly, security researchers are debating over the origin of the compromise, and its possible state-sponsored connection. Some cyber experts who reviewed this breach quickly attributed the attacks to state-sponsored activity and described the compromise with various other attention-gathering phrases.
Though we cannot completely rule out state-sponsored involvement, we do find it highly unlikely that a state-sponsored actor targeted outdated and obsolete routers that serve SMBs as part of a master plan to exfiltrate sensitive or secret data from classified government networks. This is especially due to the fact that these attacks mostly targeted vulnerable branch routers ill-equipped to handle traffic from big government or corporate systems. Rather, those responsible for the vulnerability seemed to have pursued targets of opportunity that lacked a proper security framework.
Branch routers typically serve SMBs that lack robust IT support or security teams. It makes sense that these routers were compromised through simple vulnerabilities since usually one person manages the routers and servers of their SMB network. SMBs frequently cut costs on security by purchasing cheap and/or obsolete hardware, and rarely invest in security that is adequately proportionate to the confidentiality, integrity, and availability of their data.
The broad distribution of exploited ISRs across the globe further indicates the compromised routers were targeted for their vulnerabilities and not for placement and access to specific or sensitive intelligence. The odd router from Lesotho or Togo, which are outliers, may serve as a ruse for the actual targeting of government or corporate systems. We understand that government systems may still use outdated software and obsolete hardware; however, there’s more critical information in networks connected to more up-to-date routers capable of handling large volumes of traffic.
Malicious actors often exploit outdated components. Continued use of these ISR models exposes networks to costly data breaches or possible business stoppages due to failed hardware, and a cost-benefit analysis may show that a hardware upgrade is a more prudent approach than attempting to work with a compromised legacy component. The potential loss of sensitive proprietary data further highlights the total cost and inherent risk in the continued use of these routers.
The compromised routers may affect your business if it supports SMBs that use outdated routers configured with default credentials, but will not impact larger organizations with more stringent hardware and software standards. SMBs are encouraged to review their security budgets and policies on purchasing inexpensive and/or obsolete hardware. Cyveillance recommends SMBs invest in a security posture that is adequately proportionate to the confidentiality, integrity, and availability of their data.
In order to stay ahead of future threats, we have outlined some best practices for securing your router.
- Ensure routers are up-to-date and supported by their manufacturer
- Follow router “hardening” procedures to include configuring devices from their factory settings and changing default credentials (e.g. admin login names and passwords)
- Require continuing education and security awareness training fro IT staff
- Implement weekly to monthly vulnerability scans for all hardware and software components in your organization’s networked infrastructure
- Enterprise management should only purchase hardware through primary source vendors (i.e. from the original manufacturer or from reputable resellers) and avoid buying repurposed or refurbished items that already may lack the technical support required for a growing business
The current threat landscape remains saturated with the tools and means to accomplish these attacks. Specialized meta-search engines, like Shodan, now provide amateur and professional hackers, alike, detailed information on routers and servers connected to the Internet. While the Cisco compromise is unnerving, it demonstrates an evolving trend in how malicious actors will continue to compromise networks in 2016. Cyveillance sees this as yet another warning that exploiting compromised supply chains, weak network security, and/or inadequate asset management is the new frontier for hackers and no longer the realm of state-sponsored actors.