Russia Capitalizing on Cisco Software Vulnerabilities: Warning Issued by US and UK Authorities
In an urgent warning, the United States Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and Cisco Talos have jointly issued a warning about a Russia-linked hacking group known as Static Tundra (also called Berserk Bear, Dragonfly, or associated with the FSB’s Center 16) actively exploiting a critical, seven-year-old Cisco vulnerability (CVE-2018-0171) in the Cisco Smart Install (SMI) feature. This flaw in Cisco IOS and IOS XE software allows unauthenticated remote attackers to execute arbitrary code or cause denial-of-service, primarily targeting critical infrastructure sectors such as telecommunications, manufacturing, education, and industrial control systems.
To secure Cisco networking equipment against these ongoing attacks, CISA and related agencies strongly recommend:
- Applying the security patch released by Cisco for CVE-2018-0171 immediately on all affected devices to eliminate the vulnerability.
- Disabling the Cisco Smart Install (SMI) feature altogether if it is not required, as it is the attack vector for this flaw.
- Auditing and monitoring network devices for unauthorized configuration changes, since attackers have been modifying device configs to gain persistent access.
- Strengthening network defenses, especially in industrial environments protecting operational technology (OT) by segmenting networks and blocking legacy unencrypted protocols such as SMI and SNMP v1 and v2, which hackers exploit.
- Implementing continuous threat monitoring and incident response plans tailored to Industrial Control Systems (ICS) and critical infrastructure sectors based on threat intelligence about Russian state-sponsored cyber espionage activities.
These recommended mitigation actions align with the FBI’s and Cisco’s threat intelligence updates emphasizing prompt patching, feature disablement, and enhanced monitoring to defend against persistent Russian espionage efforts targeting US and allied critical infrastructure.
Individuals and organizations are also advised to monitor their systems for any signs of unauthorized access or unusual activity. Reporting any suspicious activity to authorities can help prevent cyber attacks. Working together can help prevent cyber attacks from compromising our systems and data. Staying informed about the latest threats and vulnerabilities is important in the ongoing battle against cyber threats.
By updating software, using strong passwords, and implementing two-factor authentication, individuals and organizations can help protect themselves from cyber-attacks. The hacking activity is a concern due to the potential access to critical infrastructure and sensitive information. The hackers are using these vulnerabilities to access critical infrastructure and sensitive information. The US and UK authorities are urging organizations to take immediate action to secure their systems by updating their Cisco equipment with the latest security patches.
In the ongoing battle against cyber threats, governments and businesses worldwide must remain vigilant and take proactive measures to secure their systems and data. This includes looking for indicators of compromise (IOCs), which can help identify whether a system has been compromised.
[1] CISA Advisory, AA21-113A: Russian State-Sponsored Actors Exploiting Cisco Vulnerability in Smart Install [2] FBI Flash Alert, Russian State-Sponsored Actors Exploiting Cisco Smart Install Vulnerability [3] Cisco Security Advisory, CVE-2018-0171: Cisco Smart Install Protocol Remote Code Execution Vulnerability [4] Cisco Security Advisory, Cisco IOS and IOS XE Software Cisco Smart Install Protocol Remote Code Execution Vulnerability [5] Cisco Talos Intelligence Group, CVE-2018-0171: Cisco Smart Install Protocol Remote Code Execution Vulnerability
