Dark Reading discusses how DragonFly, a malicious Russian actor targeting US and UK critical infrastructure, is using a Cisco router vulnerability to compromise its targets:
Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam’s largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an “end of life” network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.
But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.
Kevin Livelli, director of threat intelligence at Cylance, says it’s also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.
“This is a piece of a larger campaign that we’re reporting on here,” Livelli says. “We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK.”
This sounds like an interesting campaign to follow, even if the Cisco exploit is not necessarily a major vulnerability in current and up-to-date versions of their router operating system.