Dark Reading discusses how DragonFly, a malicious Russian actor targeting US and UK critical infrastructure, is using a Cisco router vulnerability to compromise its targets:
Researchers from Cylance this month revealed that they recently discovered that the group had hacked a core Cisco router on the network of Vietnam’s largest oil-rig manufacturer, a state-owned entity, in order to steal user credentials and ultimately infiltrate energy firms in the UK in March of 2017. The Cisco router that was abused was an “end of life” network device that ultimately gave the attackers an attack vector to target energy firms, according to Cylance. DragonFly used the stolen credentials as phishing lures to attack energy sector entity targets in the UK.
But there are several missing pieces of the attack puzzle, according to Cylance: including just how the router was hacked and how exactly that got the attackers to their targets in the UK.
Kevin Livelli, director of threat intelligence at Cylance, says it’s also unclear whether the oil rig manufacturer was a supplier to the UK targets or not. Such a connection might explain how it chose those targets, but Cylance found no such direct connection in its research.
“This is a piece of a larger campaign that we’re reporting on here,” Livelli says. “We found a decoy document embedded in one of the hashes in malware samples in our continued research into this group. We could tell those decoy documents were being targeted at folks in the energy sector in UK.”
This sounds like an interesting campaign to follow, even if the Cisco exploit is not necessarily a major vulnerability in current and up-to-date versions of their router operating system.
The attackers use valid administrator credentials, an indication the attacks are being carried out either by insiders or people who have otherwise managed to get hold of the highly sensitive passwords required to update and make changes to the Cisco hardware. Short for ROM Monitor, ROMMON is the means for booting Cisco’s IOS operating system. Administrators use it to perform a variety of configuration tasks, including recovering lost passwords, downloading software, or in some cases running the router itself. In an advisory published Wednesday company officials wrote:
“In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage because infection will persist through a reboot.”
Networking giant Cisco Systems said it will acquire OpenDNS, a Web security company in which it had invested, for $635 million.
OpenDNS is probably best known for its free service that allows Web users to point their computers’ or routers’ Domain Name Service settings to its own network for the purpose of filtering content and preventing malware attacks. Founded in 2005, it attracted 65 million customers.
It has since expanded into services aimed at helping large companies protect their networks, delivering network security by way of a software-as-a-service subscription and combining its capabilities with those of other security companies like FireEye. Its customers include Netflix, the chip maker Nvidia and the energy company BP.
Congrats to David Ulevitch (@davidu) and his team on the acquisition. David is a great guy and OpenDNS is an awesome service.
The common default key was apparently inserted into the software, Fisher reported, for “support reasons.”
The second vulnerability on the same set of virtual appliances is “a preinstalled set of SSH host keys that allow access to communication secured by those keys,” Cisco’s security team warned in the advisory. These keys are used to protect appliance-to-appliance communications. “Because all deployments of WSAv or ESAv use the same set of default SSH host keys, accessing any of the private keys on a single deployment could allow an attacker to decrypt communication on WSAv, ESAv, or SMAv,” the advisory stated. “At attacker with possession of compromised keys, who is able to intercept traffic between the WSAv or ESAv and a host it is communicating with, would be able to decrypt the communication with a man-in-the-middle attack.”