The Federal Bureau of Investigation (FBI) has warned that hackers linked to Russia’s Federal Safety Service (FSB) are focusing on vital infrastructure organizations in assaults exploiting a 7-year-old vulnerability in Cisco units.
The FBI’s public service announcement states that the state-backed hacking group, linked to the FSB’s Middle 16 unit and tracked as Berserk Bear (often known as Blue Kraken, Crouching Yeti, Dragonfly, and Koala Staff), has been focusing on Cisco networking units utilizing CVE-2018-0171 exploits to breach organizations worldwide.
Profitable exploitation of CVE-2018-0171, a vital vulnerability within the Sensible Set up characteristic of Cisco IOS and Cisco IOS XE software program, can enable unauthenticated risk actors to remotely set off a reload of unpatched units, doubtlessly leading to a denial-of-service (DoS) situation or enabling the attackers to execute arbitrary code on the focused system.
“Prior to now yr, the FBI detected the actors accumulating configuration recordsdata for hundreds of networking units related to US entities throughout vital infrastructure sectors. On some susceptible units, the actors modified configuration recordsdata to allow unauthorized entry to these units,” the FBI stated.
“The actors used the unauthorized entry to conduct reconnaissance within the sufferer networks, which revealed their curiosity in protocols and functions generally related to industrial management methods.”
The identical hacking group has beforehand focused the networks of US state, native, territorial, and tribal (SLTT) authorities organizations and aviation entities over the past decade.
Admins urged to patch as quickly as doable
Cisco, which first detected assaults focusing on the CVE-2018-0171 flaw in November 2021, up to date its advisory on Wednesday, urging directors to safe their units in opposition to ongoing assaults as quickly as doable.
Cisco Talos, the corporate’s cybersecurity division, stated that the Russian risk group it tracks as Static Tundra has been aggressively exploiting CVE-2018-0171 on this marketing campaign to compromise unpatched units belonging to telecommunications, larger schooling, and manufacturing organizations throughout North America, Asia, Africa, and Europe.
The attackers have been additionally noticed utilizing customized SNMP tooling that allows them to realize persistence on compromised units and evade detection for years, in addition to the SYNful Knock firmware implant, first noticed in 2015 by FireEye.
“The risk extends past Russia’s operations — different state-sponsored actors are probably conducting comparable community system compromise campaigns, making complete patching and safety hardening vital for all organizations,” Cisco Talos added.
“Menace actors will proceed to abuse units which stay unpatched and have Sensible Set up enabled.”
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
