FBI: Russian Hackers Exploit 7-Year-Old Cisco Security Flaw
▼ Summary
– The FBI warns that Russian state-backed hackers are exploiting a 7-year-old Cisco vulnerability to target critical infrastructure organizations.
– The hacking group, linked to Russia’s FSB and known as Berserk Bear, uses CVE-2018-0171 to breach devices and gain unauthorized access.
– Attackers have collected configuration files from thousands of US entities and modified them to enable persistent unauthorized access.
– The group conducts reconnaissance on victim networks, focusing on protocols and applications tied to industrial control systems.
– Cisco and the FBI urge immediate patching, as the threat extends globally and other state-sponsored actors may conduct similar campaigns.
A significant cybersecurity alert has been issued by the FBI regarding ongoing attacks against critical infrastructure by Russian state-sponsored hackers. These threat actors are actively exploiting a seven-year-old vulnerability in Cisco networking equipment, targeting organizations worldwide in sectors including telecommunications, education, and industrial manufacturing.
According to the FBI, a hacking group associated with Russia’s Federal Security Service, known by various names including Berserk Bear and Dragonfly, is leveraging a flaw tracked as CVE-2018-0171. This vulnerability affects the Smart Install feature in certain Cisco IOS and IOS XE software versions. If successfully exploited, it allows unauthorized individuals to force a device reboot, cause service disruptions, or execute malicious code remotely.
In the past year, the agency observed these actors harvesting configuration files from thousands of U.S. networking devices. In some cases, they altered these files to maintain persistent access. The group used this foothold to perform reconnaissance, showing particular interest in systems and protocols tied to industrial control environments.
This is not the first time this hacking collective has been active. Over the last decade, they have also targeted U.S. state and local governments, tribal organizations, and aviation networks.
Cisco originally issued a warning about attacks exploiting this vulnerability in late 2021. This week, the company reinforced its advisory, urging all administrators to apply available patches immediately. Cisco’s Talos intelligence unit attributes the current campaign to a group it identifies as Static Tundra, which has been aggressively compromising devices across North America, Asia, Africa, and Europe.
The attackers are using custom SNMP tools to maintain long-term access to infected systems while avoiding detection. They have also been linked to the SYNful Knock implant, a sophisticated firmware backdoor first identified in 2015.
Cisco emphasized that the risk is not limited to Russian operatives. Other state-aligned groups are likely running similar operations, making it essential for all organizations to prioritize patching and strengthen security configurations. Devices that remain unpatched with Smart Install enabled continue to be attractive targets for malicious actors.
(Source: Bleeping Computer)
