FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage
FBI warns FSB-linked group Static Tundra is exploiting a 7-year-old Cisco IOS/IOS XE flaw to gain persistent access for cyber espionage.
The FBI warns that Russia-linked threat actor Static Tundra exploits Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to target organizations in the United States and globally.
CVE-2018-0171(CVSS score of 9.8)affects the Smart Install feature of CiscoIOS Software and CiscoIOS XE Software. The flaw could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.
“The Federal Bureau of Investigation (FBI) is warning the public, private sector, and international community of the threat posed to computer networks and critical infrastructure by cyber actors attributed to the Russian Federal Security Service’s (FSB) Center 16.” reads the alert issued by the FBI. “The FBI detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally.”
Static Tundra is a Russia-linked actorlinked to the FSB’s Center 16 unit that has been active for over a decade. The cyber espionage group specializes in compromising network devices for long-term intelligence gathering operations.
Over the past year, the FBI observed FSB’s Center 16, aka Berserk Bear/Dragonfly, collecting configs from thousands of U.S. critical infrastructure devices. The hackers altered some configs for backdoor access and reconnaissance, showing interest in ICS-related protocols. Active for over a decade, they exploit weak legacy protocols (SMI, SNMP v1/v2) and deploy tools like the Cisco “SYNful Knock” malware.
According to Talos researchers, victims are primarily based in Ukraine and allied countries,
“The group actively exploits a seven-year-old vulnerability (CVE-2018-0171),which was patched at the time of the vulnerability publications, in Cisco IOS software’s Smart Install feature, targeting unpatched and end-of-life network devices to steal configuration data and establish persistent access.” reads a report published by Cisco Talos.
“Primary targets include organizations in telecommunications, higher education and manufacturing sectorsacross North America, Asia, Africa and Europe, with victims selected based on their strategic interest to the Russian government.”
Static Tundra exploits unpatched Cisco IOS/IOS XE devices via CVE-2018-0171 and weak SNMP strings to gain persistent access, exfiltrate configs, and support long-term espionage. Using bespoke tools, SYNful Knock implants, and GRE tunnels, they prioritize stealth, persistence, and intelligence gathering.
SYNful Knock is a modular, stealthy router firmware backdoor that ensures persistence, evades detection, and uses non-standard packets for authentication. The backdoor was first detailed in 2015 by Mandiant.
“Static Tundra has been observed modifying TACACS+ configuration on compromised devices, hindering remote logging capabilities. Static Tundra also modifies access control lists (ACLs) to permit access from specific IP addresses or ranges under their control.” continues Talos’s report. “Static Tundra likely uses publicly-available scan data from services such as Shodan or Censys to identify systems of interest. Once inside a target environment, Static Tundra relies heavily on native commands, such as “show cdp neighbors”, to reveal additional systems of interest within the target environment. This presents a relatively stealthy way to identify further targets without the need for active scanning.”
Cisco recommends that organizations apply security updates for CVE-2018-0171 or disable Smart Install as a temporary mitigation.
Cisco’s Talos also published Indicators of Compromise (IOCs) for this campaign.
Follow me on Twitter:@securityaffairsandFacebookandMastodon
(SecurityAffairs–hacking,Static Tundra)