FBI, DHS, and UK cyber agency warn of Russia internet attack that targets routers


#1

Originally published at: https://boingboing.net/2018/04/16/russia-cyberattacks.html


#2

Like they needed additional motivation??


#3

Some very fine people on both sides… especially those russian hookers, hoo boy! Bladders the size of watermelons and a talent for aiming just right. Brought a copy of Forbes for the big finish.

hmmmm, suddenly my wi-fi router is humming the Russian national anthem…


#4

The Kremlin has not commented.


#5

Y’all remember this one?

Or this one?

Or this one?

Someday there will be a Russia story without obvious American hypocrisy. But not today.

.

…says the Mail, while uncritically repeating obvious US/UK propaganda.


#6

Past claims of this nature have turned out to be mostly lies with a few hunches thrown in.


#7

Somebody just got a big fat pay raise:


#8

early in the day?

Note the STUNNING collapse from 16 Apr to 17 April


#9

Seems likely.

So which day had the 2,000% increase?


#10

What are these graphs? Trump’s tweets?


#11

taken from hamilton68.

use with whatever quantity of salt you most think appropriate


#12

Yup.


#13

Americans idiots. фотошоп Clinton arm-wrestle devil and change vote Trump.


#14

What the Reuters reporting leaves out is that the agencies didn’t just say that the Russians are doing this stuff.

They produced a technical advisory document setting out what they think has been happening and providing advice for IT departments on how to stop it.

Anyone who knows enough about this stuff care to take a look and let us know whether it’s worth the paper it’s not printed on?


#15

I see the flaw in your reasoning. It’s okay if The Good GuysTM do it!


#16

I get the impression that the Russians are pulling the Bart Simpson response:

Ididn’tdoitnobodysawmedoityoucan’tproveanything


#17

Seems legit.

Systems Affected

  • Generic Routing Encapsulation (GRE) Enabled Devices
  • Cisco Smart Install (SMI) Enabled Devices
  • Simple Network Management Protocol (SNMP) Enabled Network Devices

Overview

The targets of this activity are primarily government and private-sector organisations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners.

This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union.12345This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviours on the networks of compromised victims. FBI and the NCSC have high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.

It’s the kind of the stuff should have been locked down years ago, but it always is. Telnet, TFTP, incoming UDP packets with spoofed IP addresses, smh.

The U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK National Cyber Security Centre (NCSC, which is GCHQ’s ‘cyber’ division) today said that hackers supported by Russia are gearing up for a series of digital attacks.

I didn’t see anything in the report with recent events, just reporting on an effort that’s been going on for years. “Gearing up” is a safe claim, I guess.


#18

There’s a definite sense of “Please listen to us this time before someone actually does something nasty with all this stuff and we look really stupid”.

DHS, FBI, and the NCSC urge readers to act on past alerts and advisories issued by
the US and UK Governments, allied governments, network device manufacturers,
and private-sector security organisations. Elements from these alerts and advisories
have been selected and disseminated in a wide variety of security news outlets and
social media platforms. The current state of US and UK network devices—coupled
with a Russian government campaign to exploit these devices—threatens the safety,
security, and economic well-being of the United States and the United Kingdom.

i.e. “we keep banging on about this and none of you do anything!”

I get a mental image of a bunch of people at GCHQ saying “I didn’t join the cyber-ninja squad to fix people’s routers.”

Yes, the report is quite clear (and the chap from GCHQ they had on the BBC this morning was even clearer).

Whoever is doing this is already in place. It’s a case of locking them out of access they already have. They don’t seem to be doing anything with the access at the moment except using it to gain more access to other systems (which is kinda bad enough).

I can’t imagine what the reaction would be to an MOD report which said that “Oh yes, Russian special forces are set up in bivvies at all our ports, military installations and nuclear power stations. They’ve been in place for a few years now, it’s a bit of nuisance actually. You can tell when they’re there because they keep leaving their samovars all over the place and the snow on their boots makes the floors slippy. Never mind though, just change the locks and they’ll go away.”


#19

I have to read it for my job, anyway, so let me see here… well, setting aside the comically over the top Russian scaremongering, it’s all good advice.

It says patch your systems up to date, use a firewall to prevent known exploitable protocols reaching you from the Internet, never use equipment default passwords or dictionary passwords, turn off Telnet and TFTP everywhere, heavily restrict and monitor SNMP and keep it inside your firewall if you choose to use it at all, set up GRE tunnels so they aren’t vulnerable to exploits from 18 years ago, turn off SMI everywhere, buy an IDS and use it to monitor network device configuration changes (I recommend Heasley’s excellent RANCiD instead) and be aware that spear phishing is a thing. The newest thing this paper is warning about is an attack on Cisco SMI that has been in the wild since 2016.

It does specifically mention some ostensibly Russian IP addresses that were scanning for vulnerabilities in the above list - 87.120.41.3 (Bulgaria), 80.255.3.85 (Germany), 91.207.57.69 (England), 176.223.111.160 (Switzerland), and 210.245.123.180 (Viet Nam) - which is the only usefully specific new information in the entire paper.

So if you had SNMP, Telnet, SMI, or GRE vulnerabilities between 2016 and now, your routing infrastructure configuration (potentially including passwords) has probably been downloaded by one of the above addresses, therefore if you were grossly incompetent during that period, you should probably get new routers and put new passwords on them.


#20

But, but how will I access my MUDs? :slight_smile: